Cyber Security and Resilience Bill Policy Statement – What to Expect

Bringing more entities into scope of the regulatory network

The proposed legislation aims to bring managed service providers (MSPs) within regulatory scope.  As per the government definition, a managed service is a service which:

• Is provided to another organisation and relies on the use of network and information systems to deliver the service
• Relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications and/or IT networks, including for the purposes of activities relating to cyber security
• Involves a network connection and/or access to the customer’s network and information systems.

If you are an MSP, your organisation will be subject to the same duties as firms that provide digital services under the 2018 NIS regulations, and the Information Commissioner’s Office (ICO) is to act as the regulator.  It is estimated that this will impact 900-1100 MSPs; if your organisation is among them, it could face fines of £100,000 or 10% of its annual turnover for failing to comply.

Designating critical suppliers

The Bill will allow regulators to identify and classify certain high-impact suppliers as Designated Critical Suppliers (DCS) if their goods or services are vital enough that any disruption could seriously affect the essential or digital services they support.

In practice, DCSs would be subject to similar obligations to operators of essential services (OES) and relevant digital service providers (RDSP), as defined by NIS 2018.  Although currently exempt, the Bill may result in small and micro RDSPs being designated as a critical supplier if they meet the criteria defined by the Bill.

Further, the Government is empowered to clarify, in secondary legislation, duties on OESs and RDSPs to manage supply chain risks.  This can include contractual requirements, and continuity plans to prevent supplier vulnerabilities from undermining essential or digital services.

Technical and methodological security requirements

The Statement refers to the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), a resource that supports OESs and firms that provide digital services to manage and assess their cyber risks.  The Government’s intent is to establish these principles and objectives on a ‘firmer footing’, making it essential for your organisation to follow the best practice defined by the CAF.  The measure will update requirements from NIS, bringing them into closer alignment with NIS 2, in addition to extending those requirements to OESs.

Improving incident reporting

The Bill aims to update and enhance current incident reporting requirements for regulated entities by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting, and enhancing transparency requirements.  This is to be complimented by the Government’s work on ransomware.

As part of this, regulated entities will need to notify the regulator and inform the NCSC of a significant incident no later than 24 hours after becoming aware of it, followed by a report within 72 hours.  The notification to the regulator and the NCSC must occur simultaneously.

Transparency requirements will be strengthened, particularly for digital service providers and data centres in relation to incident reporting.  If your organisation falls into one of these two categories, it will be required to notify affected customers if a significant incident occurs.

Improving ICO information gathering powers

The Bill intends to enhance the ICO’s capability to identify and mitigate cyber risks before they materialise, allowing for a more proactive approach compared to the current reactive approach.

It will also strengthen the ICO’s ability to gather information to assist it in determining criticality, through measures such as:  

• An expanded duty for firms that provide digital services to share information with the ICO upon registration
• Expanded criteria for the ICO to use its existing power to serve information notices on firms that provide digital services
• Appropriate information gateways for other entities, outside the scope of the NIS Regulations, to share information with the ICO.

New powers will be introduced for the ICO to enforce compliance when entities fail to register.

Improving regulators’ cost recovery mechanisms

Regulators will be granted the authority to establish new fee regimes under the proposed legislation.  This measure includes:

• A power to request information from regulated entities so that appropriate fees can be set proportionately
• A duty on regulators to publish a statement of charging principles
• A duty on regulators to consult with OESs and firms providing digital services setting out how funds are being used
• A duty on regulated entities to pay the fee.

Keeping pace with the ever-changing cyber landscape

Through the Bill, the Secretary of State will seek powers to update the regulatory framework without requiring an Act of Parliament, for example: bringing new sectors and sub-sectors into scope or introducing new requirements.

‍

In addition to the measures confirmed to be included within the Bill, there is consideration of bringing UK data centres into scope of the regulatory framework at or above 1 megawatt (MW) capacity, apart from enterprise data centres, which will only be in scope if they are at or above 10MW capacity.

The Government is considering introducing a new power for the Secretary of State to publish a statement of strategic priorities, which would be consulted on with regulators.  The published Statement is intended to be updated once every three to five years, and will be accompanied by a requirement for regulators to report annually on their progress against the objectives contained within the Statement.

There is also consideration of equipping the Secretary of State with a new power to issue a direction to a regulator on national security grounds, requiring it to exercise its functions to ensure that action is undertaken across its sectors.

The Cyber Security and Resilience Bill reflects the Government's strong commitment to enhancing cyber resilience by expanding regulation, particularly for service providers like MSPs, and by granting regulators increased powers.  Whilst the provisions and measures may be subject to change as it passes through Parliament, if your organisation is in scope of the Bill, its current form signals a need to prepare for a more closely governed and risk-aware operating environment.