Aug 92024

UK proposes New Cyber Security and Resilience Bill to Boost the UK’s Cyber Defences

William RM Long, Francesca Blythe and Denise Kara
, , , , , ,

During the King’s Speech on 17 July 2024, the newly appointed UK Prime Minister announced the UK Government’s intention to introduce a new Cyber Security and Resilience Bill to strengthen the UK’s defences against the global rise in cyberattacks and to protect the UK’s critical infrastructure. In background briefing notes published together with the King’s Speech, the UK Government stated that the new Cyber Security and Resilience Bill will “strengthen our defences and ensure that more essential digital services than ever before are protected.” According to the briefing notes, the Cyber Security and Resilience Bill intends to address the concern that the UK has not kept up-to-date with recent legislative advancements made by the EU in the cybersecurity space, resulting in the UK being “comparably more vulnerable.” Although the form of the proposed Cyber Security and Resilience Bill has yet to be released, the UK Government has indicated that it plans to introduce the bill in the coming months.

It is anticipated that the Cyber Security and Resilience Bill will update the existing UK Network and Information Security (NIS) Regulations 2018 (NIS Regulations), akin to the approach taken by the EU in the updated Network and Information Security (NIS2) Directive – which is aimed at strengthening the security of critical infrastructure and digital services.

According to the briefing notes, the proposed Cyber Security and Resilience Bill will aim to make crucial updates to the UK’s cyber regulatory framework by:

  • Expanding the remit of regulation to not only cover “essential services” and “digital service providers” (per the current NIS Regulations’ regime) but also to “fill an immediate gap in our defences” and cover “more digital services and supply chains”.
  • Giving regulators greater powers to ensure cybersecurity measures are being implemented. The briefing notes stipulate that this would include potential cost recovery mechanisms to provide resources to regulators and powers to proactively investigate vulnerabilities.  
  • Mandating increased incident reporting by companies to allow the UK Government to better understand cyberattacks in the UK, particularly ransomware attacks.

The King’s Speech also addressed the UK Government’s intentions towards establishing legislation to regulate the development of artificial intelligence (AI). Although no specific legislation was referenced in the King’s Speech, this position is markedly different from the previous UK Government’s approach, which took a cross-sector and principles-based approach (rather than legislative approach) towards regulating the development and use of AI.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Denise Kara

London

dkara@sidley.com

You might also like
EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position

On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.

Important Changes to Malaysia’s Data Protection Laws

In July 2024, Malaysia’s legislative body approved significant changes to the country’s Personal Data Protection Act. The changes have the effect of aligning Malaysia’s personal data protection laws more closely with international data protection laws. The effective date and other implementation guidelines are expected to follow closely.

Artificial Intelligence Tops Agenda for Global Competition Authorities: EU, UK, and U.S. Issue Joint Statement

On July 23, 2024, the competition authorities of the EU, the UK, and the U.S. issued a joint statement on competition in generative artificial intelligence (AI) foundation models and AI products (Joint Statement). Since the emergence of generative AI, each of the authorities has been individually ramping up its work in order to understand better the potential risks to competition that AI may pose. The Joint Statement may herald a more joined-up global approach with respect to scrutiny of competition in AI.