The UK government published on April 1 a policy statement setting out its proposals for the much-anticipated Cyber Security and Resilience Bill (the Bill). The proposals include bringing data centers and managed service providers within scope of the United Kingdom’s cybersecurity regulatory framework, strengthening supply chain obligations for designated operators of essential services, updating technical security standards, and new executive powers for the UK government to direct regulated entities in relation to a specific cyber incident or threat.
Many of these proposals dovetail with equivalent EU rules, though others, such as proposed new executive powers, may give multinational businesses cause for concern of potential extraterritorial impact. The proposals are presented at a high level, and the detail of the Bill, once published, will require close scrutiny.
Current Regulatory Framework
The United Kingdom’s cross-sector cybersecurity framework is currently underpinned by the Network and Information Systems (NIS) Regulations 2018 (2018 Regulations). The 2018 Regulations are based on the EU NIS Directive and cover operators of essential services in five sectors—transport, energy, drinking water, health and digital infrastructure—and certain digital services, including cloud computing. The EU NIS Directive was recently updated by the EU NIS 2 Directive, although this does not have effect in the United Kingdom.
In recognition of the evolving threat landscape, the UK government announced in July 2024 its intention to introduce the Bill in order to address the specific cybersecurity challenges faced by the United Kingdom, while aligning, where appropriate, with the approach taken in the EU NIS 2 Directive.
Key Proposals
- New duties for data centers: In September 2024, the UK government designated data centers as “critical national infrastructure.” It now intends to bring data centers that are at or above 1MW capacity (or 10MW for enterprise data centers) within scope of the updated cybersecurity framework, including duties to report significant incidents, notify and provide certain information, and have in place appropriate and proportionate risk management measures. We await further detail on the timing of implementation, and these new duties may not necessarily form part of the Bill. Nevertheless, the UK government estimates that around 182 third-party data centers and 64 operators will be brought within scope, although the number of enterprise data centers will be much lower.
- Bringing managed service providers (MSPs) within scope: The scope of MSPs will be defined in the Bill and the policy statement includes only principles of what the UK government considers to be an MSP. It is expected to cover third-party services that connect to or access a customer’s network and information systems, and provide any of the following: ongoing management support, active administration or monitoring of information technology (IT) systems, IT infrastructure, applications, or IT networks, including for the purpose of activities relating to cybersecurity. MSPs will be treated as digital service providers under the updated framework and subject to the incident reporting requirements and technical security standards, among other requirements.
- Supply chain security – Designated Critical Suppliers: The UK government intends to enable regulators to identify “designated critical suppliers,” being those suppliers that are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports. Designated critical suppliers will be subject to comparable obligations to essential services providers and digital service providers. The duties will be set out in secondary legislation and will be subject to consultation.
- Expanded incident reporting requirements: The Bill will expand the scope of incidents to capture those that are capable of having a significant impact on the provision of the essential or digital service, and incidents that significantly affect the confidentiality, availability, and integrity of a system. This aligns with equivalent EU requirements. In addition, the Bill will create a two-stage incident reporting structure to both the regulated entity’s sectoral regulator and the UK National Cyber Security Centre, as follows: (1) within 24 hours of becoming aware of a significant incident, regulated entities must notify both authorities; and (2) within 72 hours of becoming aware, regulated entities must submit to both authorities an incident report containing key details of the incident. These requirements are intended to be no more onerous than the equivalent EU NIS 2 Directive requirements. However, in addition to separate obligations that organizations will inevitably have to notify customers, this structure adds an additional process that regulated entities will need to operationalize.
- New executive powers of direction: The UK government is considering new executive powers to issue directions to regulated entities, requiring them to take specific actions to address threats to and incidents affecting their systems where there is a significant threat to national security. This new measure would enable the government to intervene directly to protect networks where it is deemed necessary for national security. The government states that where practicable and, provided it would not compromise national security, an entity would be given the opportunity to make representations before it receives a direction. Multinational operators of essential services and digital services providers, as well as government authorities in the United States and European Union, will be monitoring this proposal closely for any potential extraterritorial impact that such directions might have on their incident response strategies (and/or customers).
- Enhancing the UK Information Commissioners Office’s (ICO’s) information-gathering powers: Digital service providers will be subject to an expanded duty to share information with the ICO on registration, the ICO will have an expanded ability to serve information notices on firms that provide digital services, and the government will grant the ICO powers to enforce a failure to register with the ICO.
Next Steps
The UK government intends to introduce the Bill to parliament later this year.