The UK government has unveiled comprehensive plans for its Cyber Security and Resilience Bill, aimed at bolstering the nation’s digital defences and safeguarding economic growth. The legislation, set to be introduced later this year, will mandate stricter cyber security measures for critical national services, including hospitals, energy suppliers, and key IT service providers and suppliers.

The move comes as cyber threats continue to escalate, costing the UK economy billions (almost £22 billion ($28.4 billion) between 2015 and 2019) and disrupting essential public services. Recent incidents, such as the attack on NHS pathology provider Synnovis which resulted in significant appointment cancellations and an estimated £32.7m ($42.3m) loss, have underscored the urgent need for enhanced cyber resilience.

Wes Streeting, Health and Social Care Secretary, highlighted the importance of protecting the NHS, stating: “Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place. This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our Plan for Change.”  

The bill will bring approximately 1,000 IT service providers under its scope, requiring them to adhere to robust cyber security standards. This aims to protect supply chains and prevent them from becoming easy targets for cybercriminals.

Focus on financial services

The financial services sector, a critical component of the UK economy, will be subject to heightened scrutiny under the new legislation. Given the sector’s interconnectedness and the sensitive nature of the data it handles, the bill will mandate stringent cyber resilience practices. This includes enhanced risk management, incident reporting, and resilience testing. Financial institutions will be required to demonstrate their ability to withstand and recover from cyberattacks, ensuring the stability of the financial system.

The legislation acknowledges the increasing reliance of financial services on third-party IT providers, and therefore places requirements on those providers also. This will ensure the whole financial supply chain is more secure. The government will be working closely with financial regulators to ensure the implementation of these measures is effective.

“Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable,” stated Peter Kyle, Secretary of State for Science, Innovation, and Technology. “Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.”  

More power for Technology Secretary

The government is also exploring additional measures, including giving the Technology Secretary powers to direct regulated organizations to strengthen their cyber defenses and potentially extending protections to over 200 data centers, which are crucial for economic growth and innovation.  

Richard Horne, CEO of the National Cyber Security Centre (NCSC), emphasized the significance of the bill, saying: “The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare. It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.”  

The NCSC reported managing 430 cyber incidents in the year to September 2024, with 89 classified as nationally significant, highlighting the persistent and evolving nature of the threat. The Cyber Security Breaches Survey also revealed that 50% of British businesses experienced a cyber breach or attack in the past 12 months, with over 7 million incidents reported.

The bill will require organizations to report more cyber incidents, providing regulators with a clearer picture of threats and vulnerabilities. It also grants the government greater flexibility to update regulatory frameworks in response to emerging threats and technological advancements.

The proposed legislation follows other recent government initiatives, including the development of a new AI cyber security standard to protect AI systems, a new international coalition to boost cyber skills and the Cyber Local programme to support the UK’s rapidly growing £13.2 billion ($17.1 billion) cyber security industry, which has created 6,600 new jobs in the past year.