UK Taking Aim at Critical Infrastructure Cyber Resilience With New Proposed Rules

Businesses that fall into the 13 critical infrastructure sectors in the UK could soon be subject to new cyber resilience requirements, and stronger penalties for cyber incidents, should the new Cyber Security and Resilience Bill make its way through Parliament into law in its current form.

One major point of note is that the bill specifically targets managed service providers (MSPs) and data centers as entities to be included in the new rules, after a string of highly damaging attacks on the likes of NHS and the Ministry of Defence were traced back to contractor breaches. If it passes in anything resembling its current form the bill will serve as a significant upgrade to Network and Information Systems (NIS) Regulations 2018, presently the only UK law that addresses cyber defense requirements across the different critical infrastructure sectors.

Cyber resilience bill still has a long path to activation, but is expected to pass

The cyber resilience bill is not yet law, and still has a substantial path to being adopted that involves seven more stages and approval from both Houses. However, it is expected to ultimately emerge in some form (though it is entirely possible some of its terms will have changed by then).

At the moment, this is what impacted organizations should expect. The UK’s roughly 1,000 MSPs should anticipate having the full weight of the new rules put upon them, as they have been a point of focus since an initial attempt to put these same regulations for them in the NIS 2022 update. While the final terms are still not entirely clear, organizations can begin using the new Cyber Governance Code of Practice and Cyber Assessment Framework for reasonably anticipated preparations.

At the moment, the cyber resilience bill focuses much more on reporting requirements than testing. However, there are some new specific defense mandates for impacted organizations. In terms of reporting, incidents classed as “more harmful” would have to be reported to the National Cyber Security Centre (NCSC) within 24 hours, with a full incident report prepared within 72 hours. And MSPs or data centers impacted by such a breach would be required to notify customers “promptly,” though exact specifics in this area have not yet been hammered out.

Digital service providers get special regulatory attention after targeted hacks

Companies directly in the 13 critical national infrastructure sectors will of course be impacted, but so will subsectors and a good deal of individual suppliers and contractors. This will include IT management, IT help desk support and cyber security under national law for the first time. A good rule of thumb is to expect that if there is some manner of access to secure systems in government, direct critical infrastructure provision, or large enough business networks that could cause major national disruption if taken down, the new rules will apply to your organization.

And even if a company is not covered under the general terms, the cyber resilience bill gives the Technology Secretary the power to enforce temporary enhanced security orders for particular organizations if a threat to national security is detected. Regulators might also be able to designate otherwise non-covered entities as “critical suppliers” on an ongoing basis; the specific criteria for this has not yet been fully established.

The new rules are seemingly a lot to absorb for potentially impacted organizations, but despite the remaining uncertainty early preparation is crucial: as of now the proposed penalties for cyber resilience failures leading to serious breaches are daily fines of either £100,000 or 10% of daily turnover, whichever amount is higher.