The addition of the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament in the United Kingdom is the first of many steps in celebrating the strengthening of the United Kingdom to defend digital borders and secure fundamental infrastructures throughout the country. Updating the laws in the UK will help bolster existing laws. This will in turn respond to the increasingly complicated cyber threats impacting key services and the broader economy.
Objectives and scope of the legislation
The most recent addition to the bill is the update of 2018 of the Network and Information Systems Regulations, expanding the range to include more elements of digital and Operational Technology (OT) services.
This new bill hopes to achieve the protection and strengthening of cyber systems within sectors deemed the most important and crucial for the day-to-day operations, which include the services in health, energy, transportation, and water. The new law will offer protection against cyber attacks and will increase the minimum requirement of security within the affected sectors, as well as the supply chains within those affected sectors.
This legislation means medium to large MSPs and OT suppliers will come under regulation for the first time. These companies frequently possess privileged access to vital networks and data and are likely adversary targets.
The government intends to mitigate risks posed to emergency access gaps in our national and critical national infrastructure by monitoring such providers.
Obligations and Compliance of the Affected Organizations
Under the legislation, these organizations are to:
- Implement necessary security controls in line with the most current relevant national standards
- Notify customers and relevant regulators of the occurrence of a significant cyber incident
- Have plans in place to sustain and recover from significant disruptions
It also provides the regulators with the power to verify compliance with the security measures by way of a compliance audit and/or a compliance investigation to ensure a minimum level of security compliance is achieved and maintained. This will improve the UKโs security posture overall.
The urgency of these changes is to improve the UK’s cyber security posture overall.
Cybersecurity is national security
This legislation will enable us to confront those who disrupt our way of life. Our new laws will make the UK threat secure. UK safety is now to be cyber secure.
The bill represents the governmentโs Plan for Change with respect to adapting to the new risks of cybercrime and state-sponsored attacks. The recent cybercrime studies demonstrate to the government that the cost to the UK economy is almost ยฃ15 billion per year. The government must therefore focus on these issues.
The UK has learned from the NIS2 directive of the European Union. The UK intends to be flexible with its targets and policies as updates from the EU are incorporated to ensure the UK is in line with international standards and practices.
Business and Essential Services Affected
The bill is protective of businesses that are in the regulated industries. However, it is protective for these businesses and provides the ability to introduce and comply with new regulations at a cost.
The cost incurred is for the investment in the security measures. Managed service providers and OT suppliers are affected as they now have new policies and standards they must comply with that have never been implemented.
This further represents the governmentโs acceptance that supply chains must be protected as they are a significant vector for cyberattacks. Currently, the piece of legislation is making its way through Parliament and is projected to be acknowledged by the King. Once in effect, this legislation will be one of the most consequential pieces of legislation pertaining to the UKโs cyber resilience and will give regulators more power and businesses more clarity.
