The UK’s new government has teased further details of its proposed Cyber Security and Resilience Bill, confirming that it will contain a clause that mandates centralised incident reporting, including in the event cyber attacks that involve ransomware.
Keir Starmer’s incoming administration first brought forward the possibility of a mandatory reporting law in the King’s Speech in July 2024, and the bill’s two core objectives – to expand the remit of current regulation and paint a more accurate picture of the threat landscape – were warmly welcomed by experts at the time.
In the update, published on Wednesday 30 October to little fanfare, Westminster said that it planned to introduce the bill in 2025, and that a public consultation is in the planning stages.
It said recent events – such as ransomware attacks on NHS suppliers and hostile state actors caught lurking in Ministry of Defence networks – showed the impacts of cyber incidents could be severe, and that the UK’s laws had not kept pace with the rate of technological change, hence action to strengthen the country’s defences and protect critical national infrastructure (CNI) and digital services was a priority.
Additionally, it said, existing regulations reflect law inherited from Brussels following Brexit, and as these are now being rapidly superseded in the European Union (EU), change is even more urgently needed to ensure the UK does not mark itself out as a soft target in Europe, and to help British businesses remain on par with their competitors and peers across the Channel.
Crucial updates
The bill will make “crucial updates” to this legacy framework by, firstly, expanding its remit to protect more sectors, filling gaps in defences and hopefully preventing more attacks – such as that on NHS lab services partner Synnovis that disrupted patient care across South London during the summer.
Secondly, the government hopes to put regulators – such as the Information Commissioner’s Office (ICO) – on a stronger footing to ensure proper security measures are being implemented, potentially including cost recovery mechanisms to better resource these bodies, and enhancing their powers to proactively investigate vulnerabilities on their own. It expects a total of 12 regulatory bodies will ultimately hold, and benefit from, these responsibilities.
Finally, it hopes mandated incident reporting will provide it with better data on security incidents and ransomware attacks, helping improve overall understanding of the threat landscape and even providing early warning of potential attacks.
At the current stage of planning, the regulations will cover the transport, energy, drinking water, health and digital infrastructure sectors, and digital services including online marketplaces, search engines, and cloud computing services.