In many ways, the Cyber Security and Resilience Bill announced in the King’s Speech is long overdue. The Bill is described as an “urgent update in the UK” and follows on from a review of the Network and Information Security (NIS) regulations conducted two years ago. The speech has since revealed that only just over half of operators of essential services caught under NIS updated or strengthened policies and processes since 2018 when it was brought in. On the continent there was also a growing awareness that NIS needed revising, leading the EU to draft and approve NIS2, now set to come into force in October.
The Bill aims to strengthen the UK’s cyber defences by ensuring that critical infrastructure and digital services are secure by protecting those services and supply chains. It’s expected to share common ground with NIS2 but there are also some elements that are notably absent. These differences could mean the Bill is not quite as burdensome as its European counterpart but equally, it runs the risk of making it not as effective. So, what are the similarities and differences?
Firstly, there’s the issue of scope. NIS2 will now apply to a great deal more entities than its predecessor covering two types of organisations classed as essential or important to the stability of their respective economies. The number of verticals it applies to will more than double from seven to 17, affecting over 160,000 entities. It will also apply to some SMEs, except those with 50 employees or less for the most part.
In contrast, the UK Bill will focus on protecting more digital services and supply chains and is less specific so there is no real indication as to whether it will venture beyond the five sectors (transport, energy, drinking water, health and digital infrastructure) and digital service providers (online marketplaces, search and Cloud Service Providers) already in scope, although MSPs have since been added. This scope may be due to the nature of the UK, which is very service-led, with the previous government stating that reforms would be tailored to the country’s economy.
Where there is more common ground is the increased emphasis on incident reporting. The Bill will mandate incident reporting expanding the type and nature of attacks, including ransomware. It’s anticipated this will ensure the government has access to more accurate data on threats and how these are evolving to help provide some foresight. However, the Bill has yet to detail the process involved in contrast to NIS2 which stipulates that an early warning should be made within 24 hours by essential entities or 72 hours in the case of important entities with respect to material attacks. Formal disclosure must be made within 72 hours and a full report within a month.
The Bill is also light on the details when it comes to the security controls that need to be put in place whereas NIS2 specifies the requirements for ICT products and services including cybersecurity certification, encryption and the use of open-source cybersecurity products, education and training on cybersecurity awareness, and risk management measures.
In addition, it also makes provisions for personal accountability at a senior level. The C-suite and Board of Directors must have oversight of the risk posture of the business, will need to undergo training in this regard and implement risk management controls. In the event of a breach, should this senior personnel be judged to have failed to maintain oversight and/or disclose an incident correctly they could be held liable, potentially leading to a bar from holding similar positions in the future.
The move to hold individuals accountable is something we’ve seen in other jurisdictions such as the US where the SEC tightened disclosure rules in July of last year. And yet the Bill hasn’t, so far, made any mention of a similar undertaking. This may be to allay fears and prevent a CISO exodus. Gartner has already warned that 25% of CISOs are likely to leave the industry by 2025 due to workplace pressure and the UK is being hit hardest by the cybersecurity skills shortages – an ISC2 report showed that the cybersecurity workforce gap rose nearly 30% last year, the highest in Europe.
While the Bill is expected to see more regulators brought on board for enforcement purposes with plans to finance their efforts, we don’t yet know what the penalties for non-compliance will be. Under NIS2 entities can be fined €10m or 2% of global annual revenue, whichever is higher, for essential entities and €7m or 1.4% of global annual revenue, whichever is higher, for important entities. The threat of such fines will no doubt act as a real incentive to those in scope to meet the requirements but does the failure to detail penalties potentially render the UK Bill toothless?
The problem now is that many businesses will be looking at both sets of regulations and scratching their heads in confusion. Should they assume that the Bill will follow the trajectory of NIS2 and make preparations accordingly or should they assume it will continue to take a lighter touch and one that may not even apply to them? There’s no doubt that NIS2 will introduce a significant compliance burden with one report suggesting it will cost upwards of 31.2bn euros per year.
Then there’s the issue of those that will need to comply with both sets of regulations i.e. those entities that either supply to customers or have offices on the continent. They will be looking for the types of commonalities we’ve explored here in order to harmonise their compliance efforts and achieve economies of scale. To do that they desperately need clarity on the Cyber Security and Resilience Bill and its requirements, which we can hopefully expect when Parliament reconvenes.
Whether the Bill continues to adopt a softly, softly approach or the more prescriptive approach adopted by NIS2, what we do know is that both regulations will raise the bar when it comes to cybersecurity risk management and incident response. This is to be welcomed as any investment in improving these will result in more effective threat detection, and bolstering defence which will ultimately reduce the likelihood of an incident and drive down the costs associated with mitigation.