Draft:Cyber Security and Resilience Bill (2024)

Review waiting, please be patient. This may take 4 months or more, since drafts are reviewed in no specific order. There are 2,385 pending submissions waiting for review. If the submission is accepted, then this page will be moved into the article space. If the submission is declined, then the reason will be posted here. In the meantime, you can continue to improve this submission by editing normally. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL Easy tools: Citation bot (help) | Advanced: Fix bare URLs Reviewer tools Instructions · What links here · Cyber Security and Resilience Bill (2024) (talk: + · bio) · (log) · Copyvios report · reFill · Citation Bot · (Search: Google, Bing, Wikipedia) · Submitted 20 days ago by Richard Nowell (talk: D · +) · Last edited 2 days ago by Richard Nowell

On July 17th 2024, it was announced at the State Opening of Parliament that the Labour government will introduce the Cyber Security and Resilience Bill (CS&R) which is intended to update the existing Network and Information Security Regulations 2018 (NIS).^[1][2] CS&R will strengthen the UK's cyber defences and resilience to hostile attacks to ensure that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities and ensuring the digital economy can deliver growth.^[3]

The proposed legislation will expand the remit of existing regulation and put regulators on a stronger footing, as well as increasing the reporting requirements placed on businesses to help build a better picture of cyber threats to the UK.^[4] Its purpose is to strengthen the UK’s cyber defences and to ensure that critical infrastructure and the digital services that companies rely on are secure.^[5]

The new laws are part of the government’s pledge to enhance and strengthen the UK’s cyber security measures and protect the digital economy.^[6] CS&R will introduce a comprehensive regulatory framework designed to enforce stringent cyber security measures across various sectors. This framework includes mandatory compliance with established cyber security standards and practices to ensure essential cyber safety measures are being implemented. Ultimately, businesses will need to demonstrate their adherence to these standards through regular audits and reporting.^[7] Also included are potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities.^[8]

The key facts are (quoting):^[3]

i) The current cyber security regulations [NIS] play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services.^[9] The regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Twelve regulators (competent authorities) are responsible for implementing the regulations.

ii) Hostile cyber actors are increasingly targeting UK critical sectors and supply chains. Recent serious high-profile attacks impacting London hospitals, and the Ministry of Defence as well as ransom attacks on the British Library and Royal Mail, have highlighted that our services and institutions are vulnerable to attack.

iii) The impacts of a cyber attack on these sectors pose severe risks to UK citizens, core services, and the economy at large. For example, as a result of the ransomware attack affecting the NHS in England in June [2024], 3,396 outpatient appointments and 1,255 elective procedures were postponed across King's College Hospital, Guy’s Hospital and St Thomas’ Hospital. The total cost of cyber attacks to the UK was estimated at £27 billion per annum in 2011 and this figure is likely to have increased.

It has been estimated that the cost of cybercrime in the UK in 2019 was $65.47 billion (approximately £50 billion).^[10]

iv) The National Cyber Security Centre assess that the increased threat from hostile states and state-sponsored actors continues to ramp up. At a recent speech at CyberUK, National Cyber Security Centre CEO Felicity Oswald warned that providers of essential services in the UK cannot afford to ignore these threats.^[11]

v) Two [NIS] Post-Implementation Reviews found the original regulations are having a positive impact, but that progress has not been fast enough.^[12] In 2022 the review found that they ‘are a vital framework in raising wider UK resilience against network and information systems security threats’, but updates are required to keep pace with growing threats. Just over half of operators of essential services have updated or strengthened existing policies and processes since the inception of the UK NIS Regulations in 2018, which were introduced after the EU’s NIS Directive 2016/1148.^[2][13]

Consequences

Digital verification services would be established and include "digital identity products to help the public quickly and securely share key information about themselves as they use online services in their everyday life."^[4]

A National Underground Asset Register would be created enabling "planners and excavators instant, standardised access to pipe and cable data around the country."^[4]

The Bill will enable the creation of 'smart data' schemes, "which would allow for the secure sharing of customer data, upon their request, with authorised third-party service providers."^[4]

It will introduce compulsory ransomware reporting so that the authorities can better understand the threat and "alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report."^[6][14] While this information collection is likely to increase resilience to attacks, the administrative burden for businesses from this reporting might well bring with it additional costs as well as the original cyber incident's expense.^[6]

As modern business practices are interconnected, organisations must ensure that their partners and suppliers also adhere to the standards set by the CS&R.^[6]

In the EU, the original Network and Information Security Directive of 2016 (NIS) is being updated to Directive 2022/2555, known as NIS 2.^[15][16] NIS 2 introduces wide-reaching changes to the existing EU cyber security laws for network and information systems.^[15] The CS&R should bring the existing UK NIS regulations 2018 to a framework similar to that of the EU.^[15]

The Bill as yet has no information on any punishments for non-compliance or what the data regulators' demands from an organisation that has experienced a cyber security incident will be.^[17]

Reaction

Former head of the NCSC Ciaran Martin along with other experts welcomed the legislative proposal. On social media, he wrote that the proposed legislation seemed sensible, with mandatory reporting requirements being significant and positive steps.^[18]

A representative of the CyberUp Campaign Matt Hull said that the organisation is looking forward to the Govt updating UK cyber resilience and in particular the Computer Misuse Act 1990. Any updates to this Act would help cyber professionals protect the U.K., safeguard the digital economy and unlock the potential growth within the cybersecurity industry.^[18]

See also

• Cyber Resilience Act - EU regulation to improve cybersecurity and cyber resilience.
• GDPR - The General Data Protection Regulation.
• Malware - Examples include Computer viruses, spyware and adware.

References

1. Seddon, P. (15 July 2024). "Key points in King's Speech at a glance". BBC News. Retrieved 30 July 2024.
2. "King's Speech: new cyber resilience laws planned in the UK". Pinsent Masons. 17 July 2024. Retrieved 5 August 2024.
3. "The King's Speech 2024" (PDF). UK GOV. p. 94. Retrieved 30 July 2024.
4. Griffin, A. (17 July 2024). "Labour announces host of new tech rules – but does not reveal much-hyped 'AI bill'". Independent. Retrieved 30 July 2024.
5. Patefield, D.; Broom, J.; Collings, A.; Tsolova, R.; Modha, T. (19 July 2024). "Government announces new Bill to strengthen the UK's cyber security and resilience". techUK. Retrieved 30 July 2024.
6. staff (18 July 2024). "Cyber Security and Resilience Bill: what businesses and insurers need to know". CMS Legal. Retrieved 30 July 2024.
7. "What businesses need to know about the Cyber Security and Resilience Bill". ITN. 22 July 2024. Retrieved 30 July 2024.
8. "UK set to debut Cyber Security and Resilience Bill to boost national cyber defenses, secure critical infrastructure". Industrial Cyber. 19 July 2024. Retrieved 30 July 2024.
9. "The Network and Information Systems Regulations 2018". Crown. 10 May 2024. Retrieved 4 August 2024.
10. "Annual cost of cybercrime in the UK 2017-2028". Ani Petrosyan. 1 December 2023. Retrieved 7 August 2024.
11. "CYBERUK 2024: Felicity Oswald keynote speech". National Cyber Security Centre. May 2024. Retrieved 15 August 2024.
12. "Second Post-Implementation Review of the Network and Information Systems Regulations 2018". Crown. 27 July 2022. Retrieved 15 August 2024.
13. "Directive (EU) 2016/1148 of the European Parliament and of the Council". Crown. 6 July 2016. Retrieved 22 August 2024.
14. Muncaster, P. (18 July 2024). "UK Government Set to Introduce New Cyber Security and Resilience Bill". Reed Exhibitions. Retrieved 5 August 2024.
15. Belcheva, R. (23 July 2024). "New Cyber Security & Resilience Bill announced in King's Speech". The Lens. Retrieved 13 August 2024.
16. "The NIS 2 Directive". Cyber Risk. 2022. Retrieved 13 August 2024.
17. Jones, C. (30 July 2024). "Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy". The Register. Retrieved 4 August 2024.
18. Akshaya, A. (17 July 2024). "UK Labour Introduces Cyber Security and Resilience Bill". Information Security Media Group. Retrieved 16 August 2024.