The UK government has revealed additional details about its upcoming Cyber Security and Resilience Bill, which will include a requirement for centralized reporting of incidents, specifically addressing cyber attacks involving ransomware.
Keir Starmer’s upcoming administration initially proposed the idea of mandatory incident reporting during the King’s Speech in July 2024. Experts responded positively to the bill’s two main goals: broadening the scope of existing regulations and providing a clearer view of the current threat environment.
In an update released quietly on Wednesday, October 30, Westminster announced plans to introduce the bill in 2025 and stated that a public consultation is being organized. The government cited recent incidents, including ransomware attacks on NHS suppliers and intrusions by hostile nation-state actors within Ministry of Defence networks, highlighting the severe consequences of cyber incidents. It emphasized that the current laws are lagging behind technological advancements, making it essential to strengthen the UK’s defenses and safeguard critical national infrastructure (CNI) as well as digital services.
Furthermore, it indicated that existing regulations are derived from EU law, which has been evolving rapidly since Brexit. As such, it is critical for the UK to update its legal framework to avoid becoming a vulnerable target in Europe and to keep British businesses competitive with their counterparts across the Channel.
Key updates in the bill will include significant revisions to the existing regulatory framework. First, it aims to broaden coverage to more sectors, filling existing gaps in cybersecurity defenses, and thereby reducing the likelihood of attacks similar to the disruption experienced by NHS lab services provider Synnovis during the summer.
Second, the government plans to empower regulators, including the Information Commissioner’s Office (ICO), to ensure robust security measures are in place. This may involve introducing mechanisms for cost recovery to better support these agencies and expanding their authority to investigate vulnerabilities independently. Ultimately, 12 regulatory bodies are expected to be involved and benefit from these enhanced responsibilities.
Lastly, the requirement for incident reporting is anticipated to yield improved data on security breaches and ransomware attacks, enhancing the government’s understanding of the threat landscape and potentially providing early warnings of future attacks.
In its current planning phase, the regulations are set to encompass the transport, energy, drinking water, health, and digital infrastructure sectors, as well as digital services such as online marketplaces, search engines, and cloud computing platforms.