UK Cyber Security and Resilience Bill Policy Statement
The UK government chose 1st April 2025 to release details of its upcoming Cyber Security and Resilience Bill. The Bill is due to introduced to parliament later in 2025 and could still evolve before then.
The Government recognises that existing controls are based on the Network and Information Systems (NIS) Regulations 2018 and that these date to a time when the UK was still part of the EU. New legislation will align with the current EU NIS 2 Directive where this is possible.
The overarching aim of the new bill is to protect critical digital assets and their supporting physical infrastructure. In 2018 the NIS defined these as ‘transport, energy, drinking water, health, and digital infrastructure’ and some digital services ‘online marketplaces, online search engines, and cloud computing services’. In September 2024 the definition was expanded to UK data centres. This would extend coverage to arguably less essential information such as backups of smartphone images. Their inclusion is probably linked to the government wanting to bring more large data centres onto UK soil. The DC01UK data centre that has been approved for construction in Hertfordshire being cited as a specific example. Many of these planned new data centres could be dedicated to AI processing. A growth which also fits in with the UK AI Action Plan. It will take several years to build these data centres and to put them online. Regardless of whether the government’s plans for AI and data centre growth take off any new law needs to be in place beforehand so will set an incentive for getting this bill fully worked up and passed into law.
In addition to processing within the critical infrastructure Managed Service Providers are (MSP) within the scope of the legislation. These are business that provide computing systems to businesses including those within the UK core infrastructure but are out of their direct control. They can be a weak point in cyber defence as a breach of their systems in turn affects the business that they support. For example in March 2025 the ICO agreed a final penalty with no appeal of £3,076,320 on Advanced Computer Software Group Limited following a ransomware attack through a customer account that did not have multi-factor authentication exposing personal information relating to 79,404 individuals. The government estimates that the public sector awarded over £7 billion annually in IT contracts to MSPs in 2022 and that between 1,500 and 1,7000 medium and large size providers could be within the scope of any new Cyber law.
Stronger measures will be set to strengthen the supply chain with some bodies being defined as Critical Suppliers; ‘if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports’. Many of these would also be classified as the Managed Service Providers already included. It could now include very small ‘Critical Suppliers’ who are currently exempt under the 2018 legislation.
The new plans are still somewhat vague but are likely to be firmed up as the bill evolves. There will be a degree of future proofing as the Secretary of State will be granted powers to extend the new regulations or to tailor their application to specific sectors.
