UK proposes New Cyber Security and Resilience Bill to Boost the UK’s Cyber Defences
During the King’s Speech on 17 July 2024, the newly appointed UK Prime Minister announced the UK Government’s intention to introduce a new Cyber Security and Resilience Bill to strengthen the UK’s defences against the global rise in cyberattacks and to protect the UK’s critical infrastructure. In background briefing notes published together with the King’s Speech, the UK Government stated that the new Cyber Security and Resilience Bill will “strengthen our defences and ensure that more essential digital services than ever before are protected.” According to the briefing notes, the Cyber Security and Resilience Bill intends to address the concern that the UK has not kept up-to-date with recent legislative advancements made by the EU in the cybersecurity space, resulting in the UK being “comparably more vulnerable.” Although the form of the proposed Cyber Security and Resilience Bill has yet to be released, the UK Government has indicated that it plans to introduce the bill in the coming months.
It is anticipated that the Cyber Security and Resilience Bill will update the existing UK Network and Information Security (NIS) Regulations 2018 (NIS Regulations), akin to the approach taken by the EU in the updated Network and Information Security (NIS2) Directive – which is aimed at strengthening the security of critical infrastructure and digital services.
According to the briefing notes, the proposed Cyber Security and Resilience Bill will aim to make crucial updates to the UK’s cyber regulatory framework by:
- Expanding the remit of regulation to not only cover “essential services” and “digital service providers” (per the current NIS Regulations’ regime) but also to “fill an immediate gap in our defences” and cover “more digital services and supply chains”.
- Giving regulators greater powers to ensure cybersecurity measures are being implemented. The briefing notes stipulate that this would include potential cost recovery mechanisms to provide resources to regulators and powers to proactively investigate vulnerabilities.
- Mandating increased incident reporting by companies to allow the UK Government to better understand cyberattacks in the UK, particularly ransomware attacks.
The King’s Speech also addressed the UK Government’s intentions towards establishing legislation to regulate the development of artificial intelligence (AI). Although no specific legislation was referenced in the King’s Speech, this position is markedly different from the previous UK Government’s approach, which took a cross-sector and principles-based approach (rather than legislative approach) towards regulating the development and use of AI.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.