The UK’s planned overhaul of legislation designed to protect critical national infrastructure (CNI) will apply to a wider range of sectors and introduce tough new incident reporting requirements.
These measures accord with a promise to align the Cyber Security and Resilience Bill, “where appropriate”, with the EU’s NIS 2 regulation, made in a policy statement issued by the Department for Science, Innovation & Technology (DSIT) on 1 April.
The bill, announced (PDF) in July 2024 shortly after the Labour government entered office, will supersede the EU’s Network and Information Systems (NIS) Regulations 2018. Although the 2018 NIS regulation was supplanted in the EU last year by NIS 2, the first NIS framework has continued to apply in the UK due to the country’s departure from the trading bloc in 2020.
The policy statement for the bill says it will draw on “insights we have gathered from our international partners, including valuable lessons from the European Union on the implementation of its NIS2 regime”.
The bill “will address the specific cyber security challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive”. With Prime Minister Keir Starmer having declared growth his defining mission, the policy statement adds that “this strategic approach ensures we can be flexible and responsive to cyber threats in a proportionate way that balances the impact on business”.
Data centres, managed service providers in scope
Incident reporting obligations will, in alignment with NIS 2, require in-scope entities to notify relevant authorities of significant security incidents within 24 hours, and then submit a more detailed report within 72 hours.
Also mirroring NIS 2, the bill will bring managed service providers (MSPs) into scope, with the policy statement noting their “unprecedented access to clients’ IT systems, networks, infrastructure and data”.
Data centres, which were designated as CNI in September 2024, will also be in scope. Those above a certain capacity threshold will have to share information with authorities, and comply with obligations around risk management and “reporting significant incidents”.
Supply chain security will also become a focus of UK cyber law – another similarity to NIS 2 – through the mechanism of secondary legislation that will introduce new duties for operators of essential services (OES’) and relevant digital service providers (RDSPs). These duties will include “appropriate and proportionate measures [...] to prevent vulnerabilities in suppliers from undermining essential or digital services”.
Regulators will also be empowered to “designate specific high-impact suppliers as ‘designated critical suppliers’ (DCS)”, which will be subject to “core security requirements and incident reporting obligations”.
Expect more alignment
Recognising the fast-evolving nature of cyber threats, the legislation will grant the DSIT Secretary of State powers to rapidly update regulations without needing fresh primary legislation.
While the policy statement repeatedly hints at less onerous business-friendly regulations, the need to minimise compliance burdens and facilitate cross-border cooperation and information-sharing will surely ensure a high degree of alignment with NIS 2.
NIS 2 has broadened the range of in-scope sectors, divided them into “essential” and “important” categories, strengthened information-sharing measures, and introduced various measures for facilitating coordinated vulnerability disclosure (CVD).
To find out how YesWeHack can help you comply with UK and European cyber regulations, contact our sales team or book a demo of our Bug Bounty, vulnerability management and attack surface management platform.