Looking ahead to the new Cybersecurity and Resilience Bill

Cyber-attacks are becoming increasingly disruptive, so governments worldwide are looking at new ways to bolster cybersecurity and resilience. In case you missed it, the UK Government recently announced a new Cybersecurity and Resilience Bill (as part of the King’s speech). In this blog post, we provide some initial thoughts on what we know so far.

Key aims of the Cybersecurity and Resilience Bill

1) To strengthen existing cyber security regulations – i.e. to give Regulators of critical infrastructure and essential services more power to intervene in protective measures.

2) To further protect digital services and supply chains – this is partly in response to recent attacks on the NHS and London hospitals.

3) To give Regulators the powers to proactively investigate potential vulnerabilities.

4) To further prescribe, and mandate new reporting arrangements – which are intended to give Government better data on the cyber-attacks, trends and potential threats.

First impressions on the new Cybersecurity and Resilience Bill

At first glance, the scope seems reasonably logical at this point, so the new bill will almost certainly be additive – however, there is the potential for confusion/overlap with existing or emerging (UK or non-UK) legislation. Let’s not forget that supply chains for digital services and technology are usually multi-national (this simply gives Regulators and critical services organisations more to grapple with).  

Stakeholders must also stand ready to ‘kick the tyres’ – paying due regard to risks arising from new/emerging technological developments – new legislation needs to withstand the test of time.

New legislation (and supporting regulation) takes time to implement

It may be a while before the draft laws are fully developed (and can then proceed through the various stages to become an Act of Parliament). Following that, up to 12 different regulators would need to implement changes off the back of the new legislation, no doubt requiring lengthy consultation processes with the relevant industries (expected to be transport, energy, health, water and digital infrastructure).

Getting further value from the new Cybersecurity and Resilience Bill

In our view, any new cybersecurity legislation must also lay the groundwork for:

  • driving new standards and best practice for cybersecurity and resilience;
  • facilitating new innovation, investment and employment opportunities;
  • boosting visibility/awareness of cybersecurity across the digital supply chain;
  • improving our nation’s ability to prevent and respond to cyber-attacks; and
  • minimising the impact of cyber-attacks.

In summary, it looks like a positive step in the right direction, but there’s still a long way to go on this topic.