The UK’s technology secretary revealed the full breadth of the government’s Cyber Security and Resilience (CSR) Bill for the first time this morning, pledging £100,000 ($129,000) daily fines for failing to act against specific threats under consideration.

Slated to enter Parliament later this year, the CSR bill was teased in the King’s Speech in July, shortly after the Labour administration came into power. The gist of it was communicated at the time – to strengthen the NIS 2018 regulations and future-proof the country’s most critical services from cyber threats – and Peter Kyle finally detailed the plans for the bill at length today.

Kyle said the CSR bill comprises three key pillars: Expanding the regulations to bring more types of organization into scope; handing regulators greater enforcement powers; and ensuring the government can change the regulations quickly to adapt to evolving threats.

Additional amendments are under consideration and may add to the confirmed pillars by the time the legislation makes its way through official procedures. These include bringing datacenters into scope, publishing a unified set of strategic objectives for all regulators, and giving the government the power to issue ad-hoc directives to in-scope organizations.

The latter means the government would be able to order regulated entities to make specific security improvements to counter a certain threat or ongoing incident, and this is where the potential fines come in.

If, for example, a managed service provider (MSP) – a crucial part of the IT supply chain – failed to patch against a widely exploited vulnerability within a time frame specified by a government order, and was then hit by attacks, it could face daily fines of £100,000 or 10 percent of turnover for each day the breach continues.

“Resilience is not improving at the rate necessary to keep pace with the threat and this can have serious real-world impacts,” said Kyle. “The government’s legislative plan for cyber security will address the vulnerabilities in our cyber defenses to minimize the impact of attacks and improve the resilience of our critical infrastructure, services, and digital economy.”

The three pillars

In terms of what will definitely feature in the CSR bill later this year, not much has changed from what was teased in the King’s Speech. We knew MSPs would be brought into scope. They were supposed to be brought into the NIS regulations in the proposed 2022 update but these never came into effect.

Kyle cited the Cloud Hopper attacks on MSPs and the more recent blitz on the Ministry of Defence’s personnel system as examples of how hits on MSPs can affect critical services.

We also knew regulators would be given extra powers to ensure the industries they oversee can meet the requirements of the new legislation and guide in-scope entities on reaching compliance. A big part of this will involve introducing mandatory incident reporting to regulators and the National Cyber Security Centre (NCSC), and requiring more types of incidents (less severe ones) to be reported too, all within a 24-hour time frame. The initial early warning report of a significant breach will have to be made within a day, and a full incident report handed to regulators and the NCSC within 72 hours.

For reference, the EU’s NIS2 and the US’s CIRCIA enforce 72-hour windows for just the early reporting stage, making the UK’s implementation of mandatory incident reporting more stringent than that of its geopolitical peers.

Additionally, the ICO will receive greater information-gathering powers.

The third pillar – giving the government the authority to flexibly adapt the regulations as new threats emerge – is the lesser known of the three and wasn’t really referred to in the King’s Speech.

This could bring even more organizations into scope quickly, change regulators’ responsibilities where necessary, or introduce new requirements for in-scope entities.

“The proposed measure will ensure that cyber legislation remains relevant and effective by providing a mechanism for timely updates,” said Kyle. “This will enhance the UK’s regulatory framework, particularly in sectors critical to national security and economic stability. It also provides flexibility to these measures to adapt and accommodate changes in the CNI [critical national infrastructure] landscape.

“Ultimately, the measure will support and better maintain proportionality in regulation, and ensure ongoing protection of essential services, thereby benefiting both the government and the public.”

Possible additions

In addition to the possibility of the government stepping in to make ad-hoc demands in response to systemic events and the associated fines, the CSR bill may include provisions to bring datacenters into scope.

Although this wasn’t one of the considerations made during the King’s Speech, there were signs that datacenters would be brought under security regulations, with the UK designating them as CNI in September being the most obvious.

Given that the CSR bill’s purpose is to improve the cyber resilience of the UK’s most critical sectors, it makes sense that datacenters would be treated similarly to hospitals and energy suppliers. Recent research suggests that of the 224 colocation datacenter facilities in the UK, which are managed by 68 operators, 182 sites and 64 operators would be brought into scope of the CSR bill.

The final possible addition to the bill is the power of the government to publish a Statement of Strategic Priorities, which will serve as a unified set of objectives for the implementation of the regulations. The idea is that this statement will be updated every three to five years and ensure consistent enforcement across all regulators.

Deep concern for cyber resilience

In revealing the bill’s details today, the tech secretary said the UK continues to face “unprecedented threats” to CNI, citing various attacks that plagued the country in recent times. Synnovis, Southern Water, local authorities, and those in the US and Ukraine all got a mention, and that’s just scratching the surface of the full breadth of recent attacks.

Kyle said in an interview with The Telegraph that shortly after the UK’s Labour party was elected, he was briefed by the country’s spy chiefs about the threat to critical services – a session that left him “deeply concerned” over the state of cybersecurity.

“I was really quite shocked at some of the vulnerabilities that we knew existed and yet nothing had been done,” he said.

Illustrating the scale of the issue, figures from reinsurance biz Chaucer showed there was a 586 percent increase in attacks on UK utility companies in 2023 compared to the previous year, for example.

Further, the NCSC’s annual review, published in December, revealed that the number of nationally significant incidents it was called in to handle stood at 89 compared to 62 the previous reporting year.

Twelve of these were Category 1 incidents – national cyber emergencies requiring Cabinet Office Briefing Rooms (COBR) meetings to be held.

Commenting on the CSR bill today, NCSC CEO Richard Horne said: “The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defenses of the critical services on which we rely every day, such as water, power, and healthcare.

“It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.

“By bolstering their cyber defenses and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Active Cyber Defence, organizations of all sizes will be better prepared to meet the increasingly sophisticated challenges.”

However, William Richmond-Coggan, partner of dispute management at legal eagle Freeths, warned:

“Even if every organization that the new rules are directed to had the budget, technical capabilities and leadership bandwidth to invest in updating their infrastructure to meet the current and future wave of cyber threats, it is likely to be a time consuming and costly process bringing all of their systems into line.

“And with an ever evolving cyber threat profile, those twin investments of time and budget need to be incorporated as rolling commitments – achieving a cyber secure posture is not a ‘one and done’. Of at least equal importance is the much needed work of getting individuals employed in these nationally important organisations to understand that cyber security is only as strong as its weakest link, and that everyone has a role to play in keeping such organisations safe.” ®