The government has introduced its long-awaited cyber security and resilience bill to parliament, promising to toughen the UK’s defences against the growing wave of cyberattacks on businesses and public services.
Ministers say the new legislation represents a ‘step change’ in national security, with the aim of protecting vital services such as energy, water and healthcare from disruption.
It follows a string of high-profile incidents in recent months, including the attack on NHS contractor Synnovis which led to more than 11,000 cancelled medical appointments and caused losses of over £30m.
Science, Innovation and Technology secretary Liz Kendall said the bill would mean “fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”
The reforms update and expand the Network and Information Systems (NIS) Regulations 2018, extending regulation to cover more digital infrastructure and key suppliers.
For the first time, these companies will be required to meet minimum security standards, report major incidents within 24 hours and have response plans in place.
Regulators like Ofwat or NHS Improvement will also gain new powers to direct companies to take “specific, proportionate steps” to prevent attacks, including isolating high-risk systems when threats emerge.
A widening net for regulation
The new rules come as the cost of cyberattacks continues to mount.
Government research suggests major breaches now cost the UK economy nearly £15bn a year, or about 0.5 per cent of GDP.
Industry figures have broadly welcomed the bill’s ambitions but cautioned that its success will depend on clarity and enforcement.
Ric Derbyshire, principal security researcher at Orange Cyberdefense, said the bill “encourages organisations involved in critical national infrastructure to recognise that security and resilience rely on an interdependent ecosystem, rather than a simple chain”.
Others struck a more cautious note, with Kristina Holt, Managing Associate at law firm Foot Anstey, warning that “the introduction of this Bill is by no means a guarantee of security or certainty”.
She added that its impact “will depend on whether significant resource is actually allocated for its enforcement.”
Trevor Dearing, director of critical infrastructure at Illumio, welcomed the shift to require reporting of all cyber incidents, not just successful breaches, calling it “long overdue.”
But he also emphasised that “whilst it is understandable the government is introducing tougher penalties for poor security practices, it is equally important that sufficient support is provided to help organisations achieve compliance.”
Cybersecurity as national security
The legislation’s timing reflects a shift in government thinking about cyber resilience as part of national security and economic stability.
The UK’s National Cyber Security Centre (NCSC) recorded over 200 ‘nationally significant’ attacks in the past year, while companies such as Jaguar Land Rover and Marks & Spencer have faced serious operational disruption.
Dr Richard Horne, chief executive of the NCSC, described the bill as a ‘crucial step’ in protecting critical services amid a “complex and evolving threat landscape.”
Others, like Matt Houlihan, vice president of government affairs at Cisco, said the framework was overdue but must be “practical and clear” to work.
“The success of this bill will rely on clarity and practical timelines”, he said, adding that government should address risks from outdated, end-of-life systems that “too often leave organisations exposed.”
With the cost of cyberattacks mounting and the country’s reliance on digital infrastructure deepening, industry leaders agree the bill is an important move, but one that will require consistent follow-through.
As Carla Baker of Palo Alto Networks put it: “A supply chain is only as strong as its weakest link. The government must now ensure this legislation gives businesses the clarity and confidence to strengthen theirs.”