New laws to require firms to boost cyber security defences

More organisations will be required to meet robust cyber security standards under legislation designed to make UK infrastructure more secure, the Government has said.

Unveiling its first plans for the upcoming Cyber Security and Resilience Bill, ministers said firms providing essential IT services to public services and the wider economy will be required by law to improve their data protection and network security, and to provide a greater range of risk assessments to help identify potential threats.

According to data from the National Cyber Security Centre (NCSC), in the year to September 2024 the organisation managed 430 cyber incidents, including 89 classed as nationally significant, while 50% of British businesses said they had suffered a cyber breach or attack in the last 12 months.

The proposals would also give regulators more powers to push for improvements in cyber security in their areas, and the Technology Secretary will be given powers to update regulatory frameworks as new threats emerge so firms can keep up with the changing landscape of the sector.

New protections are also being considered for more than 200 data centres, as they become increasingly vital parts of the UK’s infrastructure network because of their need to process the vast amounts of data needed to power AI tools.

Ministers said the changes would instantly improve the defences of energy suppliers and hospitals, which have increasingly become targets for state-backed cyber attacks.

Technology Secretary Peter Kyle said the plans to improve resilience would also boost the economy.

“Economic growth is the cornerstone of our plan for change, and ensuring the security of the vital services which will deliver that growth is non-negotiable,” he said.

“Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.

“The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world, giving us the power to protect our services, our supply chains and our citizens – the first and most important job of any government.”

Health and Social Care Secretary Wes Streeting said: “Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place.

“We are building an NHS that is fit for the future. This Bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our plan for change.”

The Government said cyber incidents cost the UK economy around £22bn a year between 2015 and 2019.

Richard Horne, chief executive of the NCSC, said the Bill was a “landmark moment” that would “improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare”.

“It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries,” he said.

“By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials and Active Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges.”