With data breaches quickly growing as one of the pre-eminent threats to businesses in 2024, organisations need to be well prepared for new regulatory and legislative developments.
With that in mind, in the recent King’s Speech, the government announced its intention to introduce a Cyber Security and Resilience Bill, which is likely to bring long awaited updates to the Network and Information Security Regulations (NIS). Navigating the challenges ahead remains important to stay on the front foot of the upcoming regulation.
The UK Government’s approach to cybersecurity has historically been largely reactive, particularly in comparison to Europe’s NIS 2 directive approach. Therefore, the upcoming Cyber Security and Resilience Bill is welcomed and is likely to expand the scope of regulated digital services, including bringing managed service providers into scope.
As digital services − such as online marketplaces, search engines and cloud services − are now integral to the economy’s supply chain, this reflects the Government’s focus on their operational resilience.
In addition to digital services, sectors such as energy, transport, health, water and digital infrastructure have been regulated under NIS since 2018 as operators of essential services.
Staying one step ahead
There have been plans to update the regulations for some time – but what can we expect from the upcoming Bill?
- Support for a more proactive approach by the regulators.
- Expanded reporting requirements, such as the need to report on ransomware attacks.
- Cost recovery measures.
- Expansion of scope to include managed service providers, such as IT outsourcing services.
- Power for the Government to expand the scope of regulation to other services.
- Allowing regulators to designate critical suppliers or services − this ‘Critical Dependencies’ measure is intended to address the increasing concern about supply chain risk.
A proactive approach
In preparation for the upcoming Bill, organisations need to ensure that they both understand the parameters of the Bill and adopt proactive measures in response to it.
Organisations should implement measures such as checking that they have been properly registered with the appropriate regulator. This involves checking whether or not the organisation falls under the scope of NIS or is likely to do so once the Bill is in force.
In addition, organisations should conduct risk assessments to analyse what are the appropriate security controls and safeguards they need to put in place to mitigate the risk. The National Cyber Security Centre has provided the Cyber Assessment Framework, which is the preferred assessment framework for UK regulators and can be used to assist with the assessment.
Carrying out supply chain mapping can also prove an important part of any risk assessment and will be a review of supplier relationships, identifying those that are most critical and carrying out on-going due diligence on suppliers.
Organisations should also review their incident handling processes to ensure they are capturing the required information (once the Bill makes this clear) and have a process for notifying the correct regulators.
How effective will the legislation be?
Supply chains remain vulnerable to attacks and the effectiveness of the Bill will depend on its scope and the entities it includes. There is uncertainty about how the supply chain will be handled within the new legislation, as well as ongoing ambiguity surrounding the wider effectiveness of the Bill beyond the supply chain.
Will legislators attempt to rely on regulated organisations imposing obligations on suppliers through contract, rather than directly imposing obligations on suppliers in law? For purchaser businesses, the ability to impose relevant obligations on suppliers is often dependent on bargaining power, so relying purely on a contract may be challenging.
The effectiveness of the Bill will also depend on the resources allocated for implementation − including the availability of skilled personnel to interpret complex regulations, both in businesses and among the regulators tasked with supporting them. According to the Department for Science and Industries study 2024 on Cyber Security Skills in the UK Labour Market, nearly half (48%) of cyber leads within businesses say they are not confident in their ability to undertake a cyber security risk assessment.
Risk assessment is a key aspect of UK cyber security regulation, from UK GDPR to NIS. Without good technical support and guidance, especially for smaller companies, the impact of this legislation in improving the UK’s cyber resilience may be limited.