Draft:Cyber Security and Resilience Bill (2024)

UK cyber security proposed law.

Review waiting, please be patient. This may take 3 months or more, since drafts are reviewed in no specific order. There are 2,580 pending submissions waiting for review. If the submission is accepted, then this page will be moved into the article space. If the submission is declined, then the reason will be posted here. In the meantime, you can continue to improve this submission by editing normally. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL Easy tools: Citation bot (help) | Advanced: Fix bare URLs Reviewer tools Instructions · What links here · Cyber Security and Resilience Bill (2024) (talk: + · bio) · (log) · Copyvios report · reFill · Citation Bot · (Search: Google, Bing, Wikipedia) · Submitted 7 days ago by Richard Nowell (talk: D · +) · Last edited 2 days ago by Richard Nowell

On July 17th 2024, it was announced at the State Opening of Parliament that the Labour government will introduce the Cyber Security and Resilience Bill (CS&R) which is intended to update the existing Network and Information Security (NIS) Regulations 2018.^[1][2] The Bill once passed into law, will strengthen the UK's cyber defences and resilience to hostile attacks to ensure that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities and ensuring the digital economy can deliver growth.^[3] It would expand the remit of existing regulation and put regulators on a stronger footing, as well as increasing the reporting requirements placed on businesses to help build a better picture of cyber threats to the UK.^[4] Its purpose is to strengthen the UK’s cyber defences and to ensure that critical infrastructure and the digital services that companies rely on are secure. ^[5]

The CS&R is part of the government’s pledge to enhance and strengthen the UK’s cyber security measures and protect the digital economy.^[6] CS&R will introduce a comprehensive regulatory framework designed to enforce stringent cyber security measures across various sectors. This framework includes mandatory compliance with established cyber security standards and practices. Ultimately, businesses will need to demonstrate their adherence to these standards through regular audits and reporting.^[7] The proposed legislation will also put regulators on a strong footing to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities.^[8]

The key facts are (quoting):

"i) The current cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services. The regulations cover five sectors (transport,energy, drinking water, health and digital infrastructure) and some digital services (including online marketplaces, online search engines, and cloud computing services). Twelve regulators (competent authorities) are responsible for implementing the regulations.^[3]

ii) Hostile cyber actors are increasingly targeting our critical sectors and supply chains. Recent serious high-profile attacks impacting London hospitals, and the Ministry of Defence as well as ransom attacks on the British Library and Royal Mail, have highlighted that our services and institutions are vulnerable to attack.^[3]

iii) The impacts of a cyber attack on these sectors pose severe risks to UK citizens, core services, and the economy at large. For example, as a result of the ransomware attack affecting the NHS in England in June [2024], 3,396 outpatient appointments and 1,255 elective procedures were postponed across King's College Hospital, Guy’s Hospital and St Thomas’ Hospital. The total cost of cyber attacks to the UK was estimated at £27 billion per annum in 2011, this figure is likely to have increased.^[3]

iv) The National Cyber Security Centre assess that the increased threat from hostile states and state-sponsored actors continues to ramp up. At a recent speech at CyberUK, National Cyber Security Centre CEO Felicity Oswald warned that providers of essential services in the UK cannot afford to ignore these threats.^[3]

v) Two Post-Implementation Reviews found the original regulations are having a positive impact, but that progress has not been fast enough. In 2022, the review found that they ‘are a vital framework in raising wider UK resilience against network and information systems security threats’, but updates are required to keep pace with growing threats. Just over half of operators of essential services have updated or strengthened existing policies and processes since the inception of the [NIS] Regulations in 2018."^[3]

It has been estimated that the cost of cybercrime in the UK in 2019 was $65.47 billion (approximately £50 billion).^[9]

Consequences

Digital verification services would be established and include "digital identity products to help the public quickly and securely share key information about themselves as they use online services in their everyday life."^[4]

A National Underground Asset Register would be created enabling "planners and excavators instant, standardised access to pipe and cable data around the country."^[4]

The Bill will enable the creation of 'smart data' schemes, "which would allow for the secure sharing of customer data, upon their request, with authorised third-party service providers."^[4]

It will introduce compulsory ransomware reporting so that the authorities can better understand the threat and "alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report."^[10]

Lack of Detail

The Bill has no information on any punishments for non-compliance.^[11]

The data regulators' demands from an organisation that has experienced a cyber security incident are unclear.^[11]

See also

• GDPR - The General Data Protection Regulation.
• Malware - Examples include Computer viruses, spyware and adware.

Further reading

• The Network and Information Systems Regulations 2018.^[12]

References

1. Seddon, P. (15 July 2024). "Key points in King's Speech at a glance". BBC News. Retrieved 30 July 2024.
2. "King's Speech: new cyber resilience laws planned in the UK". Pinsent Masons. 17 July 2024. Retrieved 5 August 2024.
3. "The King's Speech 2024" (PDF). UK GOV. p. 94. Retrieved 30 July 2024.
4. Griffin, A. (17 July 2024). "Labour announces host of new tech rules – but does not reveal much-hyped 'AI bill'". Independent. Retrieved 30 July 2024.
5. Patefield, D.; Broom, J.; Collings, A.; Tsolova, R.; Modha, T. (19 July 2024). "Government announces new Bill to strengthen the UK's cyber security and resilience". techUK. Retrieved 30 July 2024.
6. staff (18 July 2024). "Cyber Security and Resilience Bill: what businesses and insurers need to know". CMS Legal. Retrieved 30 July 2024.
7. "What businesses need to know about the Cyber Security and Resilience Bill". ITN. 22 July 2024. Retrieved 30 July 2024.
8. "UK set to debut Cyber Security and Resilience Bill to boost national cyber defenses, secure critical infrastructure". Industrial Cyber. 19 July 2024. Retrieved 30 July 2024.
9. "Annual cost of cybercrime in the UK 2017-2028". Ani Petrosyan. 1 December 2023. Retrieved 7 August 2024.
10. Muncaster, P. (18 July 2024). "UK Government Set to Introduce New Cyber Security and Resilience Bill". Reed Exhibitions. Retrieved 5 August 2024.
11. Jones, C. (30 July 2024). "Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy". The Register. Retrieved 4 August 2024.
12. "The Network and Information Systems Regulations 2018". Crown. 10 May 2024. Retrieved 4 August 2024.