UK Government introduces Cyber Security and Resilience Bill into Parliament

The Department for Science, Innovation and Technology (DSIT) has introduced the long-awaited Cyber Security and Resilience Bill (CSR Bill) to Parliament, aimed at strengthening national security and protecting economic growth by boosting cyber preparedness and resilience across critical national infrastructure and essential services. The CSR Bill aims to prevent disruption to vital services, including healthcare, transport, energy, and water, by imposing more stringent security requirements on those who supply them.

The proposed legislation introduces several key changes. 

For the first time, medium and large companies that provide digital and managed IT services to public and private sector organisations, such as the NHS, will be regulated. These suppliers must meet clear security obligations, including promptly reporting significant cyber incidents to the government and their customers, and having robust incident response plans.

Regulators will also gain new powers to designate critical suppliers to essential services, such as those providing healthcare diagnostics, requiring them to meet minimum security requirements and closing dangerous supply chain gaps. Enforcement will be modernised with tougher turnover-based penalties for serious breaches, ensuring that cutting corners is no longer cheaper than implementing strong protections.

Furthermore, the Technology Secretary will receive new powers to instruct regulators and the organisations they oversee to take specific, proportionate steps to prevent cyberattacks when a national security threat is present, such as requiring them to increase monitoring or isolate high-risk systems.

In-scope organisations will be required to report more cyber incidents to regulators and the National Cyber Security Centre (NCSC) within 24 hours and provide a full report within 72 hours. The CSR Bill also introduces new safeguards for organisations managing the flow of electricity to smart appliances, such as electric vehicle charge points, bolstering the UK's energy security and reducing the risk of grid disruption. 

The announcement of the CSR Bill comes as the government releases new independent research that estimates the average cost of a significant cyberattack in the UK now exceeds £190,000.

In a statement respionding to the news, Information Commissioner John Edwards said: "We welcome the introduction of the Cyber Security and Resilience (Network and Information Systems) Bill in the House of Commons and look forward to seeing it progress through the parliamentary process. This is an important piece of legislation that will strengthen the country's cyber resilience and ultimately better protect people's data."