The recent and hugely damaging ‘Dragon Force’ cyber-attack suffered by Marks and Spencer, Co Op and Harrods is another wakeup call to the advanced capabilities of hacker groups and the importance of cyber security.  Just today, a supplier to Tesco and Aldi , Peter Green Chilled has reported being targeted by hackers.

Significantly in critical sectors such as energy, water, transport, health and digital infrastructure the importance of cyber security is magnified many times over. Each sector delivers services that are essential to life and the functioning of the whole economy. Imagine if a cyber-attack meant you could not access safe drinking water, travel to hospital in an emergency, turn the heating on in freezing weather or share medical records of someone critically ill. And imagine if all those things happened at once.  

This is why the government set out plans to boost the nation’s cyber defences through a new Cyber Security and Resilience Bill. The proposals, detailed in a recent policy statement,  build on the 2018 Network and Information Systems Regulation (NIS)  which introduced - for the first time -  cyber security obligations on key operators in the water, transport, health, energy and digital services sectors.

Given yesterday’s headline on the UK-EU trade and security deal, it is no coincidence that the proposals align closely with cyber security enhancements introduced through the EU’s ‘NIS 2’ Directive. Such alignment is a key piece of the UK-EU security jigsaw.

The proposals significantly change the face of cyber security legislation in critical sectors on three fronts. First, the reach of the legislation will be dramatically increased. It will place security requirements on managed service provides and data centres bringing the number of companies in scope from around 600 to over 1600. Critical operators will be required to tighten up security in their supply chains, and this will trigger additional  responsibilities for thousands of supply chain companies (e.g. in the energy sector alone there around 3000 – 9000 supply chain companies).

Second, the UK response to cyber-attacks in critical sectors will become more agile. Incident response reporting deadlines will be cut from 72 to 24 hours and information sharing will be intensified. Government will also have power to direct a company to act in the interests of national security if it believes more decisive, speedy action is needed.

Third, the proposals facilitate swift adaptation of legislation in response to future cyber threat. They give power to the relevant Secretary of State to introduce changes  through secondary (regulations) rather than through primary (Bill) legislation. This is extremely welcome given the current pace of technological change. The Bill will be laid in Parliament later this year. Given the level of cyber threats currently being realised, this cannot come soon enough.

DETAIL OF KEY CYBER SECURITY AND RESILIENCE PROPOSALS

New cyber security obligations placed on 900-1100 Managed Service Providers (MSP). MSPs are companies that provide services to businesses  (such as payroll , HR or sales) and where the service provision involves gaining access to the client company’s IT networks and systems.  As the 2024 attack on the pay roll system of the Ministry of Defence demonstrated, MSPs offer an attractive attack route for malicious actors .

Supply chain security will be strengthened in critical sectors. Direct obligations will be placed on  the Operators of Essential Services (OES)  and Relevant Digital Service Providers to actively manage cyber risk in their supply chains through for example, contractual requirements, security checks or continuity plans. Regulators also have the power to ‘designate Critical Suppliers’ i.e. bring a specific supply chain company into  scope of the legislation.

Regulators will be able to enforce technical standards. The DSIT Secretary of State would have the power to  enforce codes of practise setting out how guidance on the regulatory requirements should be satisfied.

Improved incident reporting. The definition of what constitutes a reportable incident will be widened and reporting deadlines reduced from 72 to 24 hours. More transparency on information sharing will be required from OES and RDSPs to ensure that customers are alerted to incidents sooner, and to ensure government has better data on attacks generally.

Faster legislative change to keep pace with changing threat The Secretary of State will have the power to update requirements through regulations, rather than an Act of Parliament. Change might include for example, bringing new sectors in scope or increasing security requirements in certain areas.

Finally, the document also highlights four ‘additional’ measures under consideration which were not mentioned in the Kings Speech, they are:

• Bring data centres (c. 1 MW capacity)  into scope of the cyber legislation

• Require all twelve cyber regulators to report on progress against  a Statement of Strategic Priorities set out by government

• Empower the Secretary of State to direct either i) a regulator or ii)regulated entities (OES /RDSP) to take action when necessary for national security