New ‘pivotal’ legislation to force businesses to boost cyber defences

The UK Government plans to introduce measures that will give the technology secretary the power to require firms to strengthen their cyber security defences.  

The measures form part of the first plans for the Cyber Security and Resilience Bill since it was announced in the King’s Speech last year.

Under the new legislation, Peter Kyle is expected to have new powers to keep the UK safe from online threats. He will also be able to update the regulatory framework in a bid to stay in line with the cyber landscape and allow the government to act swiftly against attacks.

One thousand service providers are expected to be affected by the legislation once it is introduced later this year.

The new law will “ensure firms providing essential IT services to public services and the wider economy are no longer an easy target for cyber criminals”, the government said.

The measures come at the back of a string of significant cyber attacks to national services. Last summer, cybercriminals hit Synnovis, a provider of pathology services to the NHS, causing thousands of missed appointments and costing around £33m, the government said.

North of the border, NHS Dumfries and Galloway was victim of a cyber incident early last year that led to a “large” amount of data being leaked online.

In total, cybercrime is estimated to cost £27bn to the UK annually.

Kyle said: “Economic growth is the cornerstone of our plan for change, and ensuring the security of the vital services which will deliver that growth is non-negotiable.

“Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage. 

“The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world - giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”

In the year up to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with around two a week being identified as nationally significant. The latest Cyber Security Breaches Survey also highlighted half of British businesses have suffered a cyber incident in the past year.

Health secretary Wes Streeting said: “Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place.

“We are building an NHS that is fit for the future. This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our plan for change.”

The bill may also introduce new protections for more than 200 data centres, which were designated critical natural infrastructure last year. These centres are a key part of Prime Minister Keir Starmer's plans for the UK to become an AI superpower, as they process vast amounts of data needed to create AI models.

Richard Horne, NCSC chief executive, said: “The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare.

“It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.

“By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Avctive Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges.”