The UK government has introduced the Cyber Security and Resilience Bill to Parliament, aiming to enhance the country’s defences against cyber threats.
The Bill, presented for its first reading today, proposes reforms to the existing Network and Information Systems (NIS) Regulations 2018, with a focus on safeguarding essential and digital services.
The legislation is designed to improve the security of key sectors such as healthcare, energy, water, and transport. According to the government, these measures are intended to reduce the risk of disruption to public services, including hospitals and utilities, by strengthening cyber protections for organisations that underpin daily life and economic activity.
The introduction of the Bill comes at a time when the UK is experiencing a marked increase in cyber threats. Recent reports indicate that the country now faces an average of four major cyberattacks each week, with critical infrastructure and large businesses frequently targeted.
This escalation in both frequency and severity of attacks has placed additional pressure on organisations and insurers to bolster their cyber resilience.
Read more: UK faces four major cyberattacks weekly
Under the proposed laws, medium and large companies that provide IT management, help desk support, and cyber security services to both public and private sector organisations would be regulated for the first time.
These firms, which often have trusted access to critical infrastructure and government networks, would be required to meet specific security obligations, including promptly reporting significant cyber incidents and maintaining robust incident response plans.
Regulators would also gain new authority to designate certain suppliers as critical to the UK’s essential services. This would apply to companies supplying healthcare diagnostics to the NHS or chemicals to water firms, provided they meet set criteria.
Designated suppliers would need to comply with minimum security standards, addressing vulnerabilities in supply chains that could be exploited by cyber criminals.
The heightened threat environment is reflected in the insurance sector as well. Over the past year, cyber insurance claims in the UK have surged by 230%, with ransomware attacks accounting for a significant share. The financial and professional services sectors have been especially impacted, underscoring the growing financial and operational risks associated with cyber incidents.
Read more: Cyber insurance claims surge 230%
The Bill includes provisions for modernising enforcement, introducing stricter penalties for serious breaches based on company turnover. The government states that these measures are intended to ensure that maintaining strong cyber defences is not more costly than the consequences of non-compliance.
Additionally, the Technology Secretary would be granted new powers to direct regulators and the organisations they oversee, such as NHS trusts and utility providers, to take specific actions to prevent cyber attacks when there is a threat to national security. This could involve increasing monitoring or isolating high-risk systems.
The Office for Budget Responsibility (OBR) estimates that a cyber-attack on critical national infrastructure could temporarily increase government borrowing by over £30 billion, or 1.1% of GDP. Independent research published alongside the Bill indicates that the average cost of a significant cyber-attack in the UK now exceeds £190,000, amounting to approximately £14.7 billion per year, or 0.5% of GDP.
Science, Innovation, and Technology Secretary Liz Kendall said, “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.”
She added that the new laws would result in fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response to emerging threats.
Dr Richard Horne, CEO of the National Cyber Security Centre, commented that the real-world impacts of cyber attacks have become increasingly clear in recent months. He said the NCSC continues to work to support organisations facing rising threats and described the Bill as “a crucial step in better protecting our most critical services.”
Dr Horne emphasised that cyber security is a shared responsibility and encouraged all organisations to follow guidance from the NCSC and act with urgency.
