Jonathan says, “The Bill will extend the UK’s cyber security regime and, in many ways, mirrors the EU’s NIS2 Directive, which started applying to businesses in October 2024 as a legal framework to uphold cybersecurity in 18 critical sectors across the EU. Providers of digital or B2B IT services operating in both the UK and EU will already be adapting to NIS2, but this means they must now do the same for their UK operations too.”
In its policy statement the Government warns of the growing risk posed by cyber criminals and hostile states. A ransomware attack on the NHS last year resulted in more than 11,000 postponed outpatient appointments and procedures[ii]. Meanwhile, the 2024 Cyber Breaches Survey[iii] found that over half of UK businesses had suffered a cyber security breach or attack in the past year.
Jonathan adds, “This isn’t just about ticking compliance boxes. It’s about protecting your business, your clients, and your reputation in an increasingly hostile digital environment. It’s worth noting that the Bill could also impact smaller businesses. Some SMEs who were previously exempt under the current NIS regime may now fall within scope, especially those providing essential or digital services.”
The key changes:
Below are some of the key changes outlined in the latest policy statement:
- More IT service providers in scope. The new legislation is set to expand the scope of the legislation to cover managed service providers (MSPs). The formal definition of MSPs will encompass a significant number of B2B IT service providers. The Government is still working on its formal definition of MSPs but estimates that an additional 900-1100 MSPs will come within the scope of the new regime. It is currently unclear how they arrive at this number and the real number could be many more.
- Tight incident reporting deadlines. A new two-stage reporting structure is to be introduced. When a significant incident occurs, in-scope companies will have to make an initial report within 24 hours and another more detailed report within 72 hours of the incident. Reports will also have to be made to National Cyber Security Centre (NCSC) as well as to the relevant regulator. In some circumstances customers will also have to be told.
- More powers for the Information Commissioner’s Office (ICO). The new regime will enhance the ICO’s powers to gather information and serve notices, plus there will be an expanded duty for some firms to share information with the ICO. The ICO will also be the enforcement body for MSPs.
- Data centre implications. The government is considering whether data centres will be explicitly classified as critical national infrastructure in the Bill. If they are they will attract more regulatory oversight.
- Designated Critical Services Providers (CSPs). Regulators are to be given new powers to designate suppliers as CSPs if their services are deemed critical to the operation of essential or digital services. This could include SMEs previously outside the UK’s NIS regime, potentially subjecting them to increased scrutiny. It may also give regulators the power to single out some organisations for particular scrutiny.
- Financial contributions from the regulated. The Bill will include an enhanced registration regime, with the intention that organisations pay registration fees to support the regulatory regime, and new powers proposed for the ICO to enforce payment. The power to raise more money in registrations, coupled with the ability to designate even a micro business as a CSP, could mean a significant financial burden for some organisations.
How can businesses prepare?
With the draft Bill expected to be presented for parliamentary scrutiny later this year, Jonathan outlines some practical tips for businesses to keep in mind now:
- Monitor developments. Work out the likely scope and impact on the organisation by keeping up to date with what’s happening with the Bill.
- Look at processes and procedures. Most organisations now have a data breach reporting procedure to meet GDPR reporting deadlines. Like NIS2, the proposed new reporting obligations have tighter time limits and are likely to be wider in nature. Organisations should ensure their procedures reflect this. Also review any additional reporting requirements e.g.: those under DORA[iv], or the EU AI Act[v].
- Train people. Ensure key personnel are up to date on new reporting obligations and incident management.
- Look at the organisation’s response team. Make sure that they are ready to report when required in 24 hours.
- Rehearse incidents. Experience shows that organisations which regularly rehearse cyber security incidents handle them more effectively.
- Look at and amend supplier contracts. Organisations may need suppliers to tell them more quickly about incidents given the additional reporting obligations.
- Look at the technical and organisational measures (TOMs) used to keep secure. As technology moves on organisations need to check they are still best placed to defend the organisation from current threats, including AI based threats. The NCSC has information on current risks and practical guidance on prevention[vi].
- Tell the board and audit committee about any increased liability. Make sure there are people on the board who understand the requirements of the Bill and cybersecurity risk more generally.
Jonathan concludes, “As UK businesses prepare for this new legislation, it’s vital they not only know their obligations and prepare to comply, but also implement robust strategies for long term resilience against cyber threats. Organisations should seek specialist advice to manage these changes and fully understand their responsibilities under the new Bill.”
