UK Cybersecurity Regulation: what’s next?

Historically, the UK has adopted an incremental sectoral approach to cybersecurity regulation, with the UK GDPR being the notable exception, as it addresses personal data processing across all industries.  However, escalating concerns about supply chain risks, as highlighted by the National Cyber Security Centre (NCSC), suggest that future regulations may become more complex.  Particularly for suppliers working across multiple regulated sectors – some suppliers could end up being regulated under a number of overlapping regimes.

The Cyber Security and Resilience Bill is likely to expand the scope of which digital services are regulated.  This includes bringing managed service providers into regulatory scope. As digital services, such as online marketplaces, online search engines and cloud services, are now integral to the supply chain across the economy, this reflects the government’s focus on their operational resilience.

Digital services have been regulated by the Information Commissioner’s Office (ICO) under the Network and Information Security Regulations (NIS) since 2018. There have been plans to update the regulations for some time – but what can we expect?

• Support for a more proactive approach by the regulator
• Expanded reporting requirements (such as need to report on ransomware attacks)
• Cost recovery measures
• Expansion of scope to include managed service providers such as IT outsourcing services
• Power for the government to expand the scope of regulation to other services as it sees necessary

Since 2018, sectors such as energy, transport, healthcare, water, and digital infrastructure have been regulated under NIS due to their status as essential services. However, the new bill could bring further changes, including:

• Expanded reporting obligations for incidents, including ransomware attacks.
• Designation of “Critical Dependencies”, regulating key suppliers essential to these sectors’ operational resilience, thereby addressing growing supply chain risks.

The civil nuclear sector, while not regulated under NIS, continues to be governed by other stringent regulations such as the Nuclear Industries Security Regulations. There is a question about how the government intends to regulate data centres – data centres were designated by government as critical national infrastructure on 12 September 2024 which may imply an increased likelihood that they will be drawn into a regulatory regime similar to that under NIS. The previous government had signalled a measure of intent to do so in a consultation in February 2024 to this effect, and those in that sector should keep an eye on the scope of the Cyber Security and Resilience Bill and any regulations to be made under it.

On 12 September 2024, the UK government designated data centres as critical national infrastructure, raising the likelihood of their inclusion in a regulatory framework. The Cyber Security and Resilience Bill could potentially outline specific compliance obligations for data centres, as consultations earlier this year indicated a shift toward stricter oversight.

As is often the case in the UK, the Financial Services Regulators (PRA/FCA) have been early movers in introducing measures to address cyber security resilience and supply chain risk. Firms in this sector have been subject to operational resilience requirements since March 2022, with a deadline of March 2025 to:

• Identify important business services, set impact tolerances and carry out appropriate mapping and testing
• Identify any vulnerabilities in operational resilience
• Make the necessary investments to operate consistently within impact tolerances

In relation to the supply chain issue a new regime aimed at regulating Critical Third Parties (CTPs) was introduced in the Financial Services and Markets Bill in 2022. The CTP regime is designed to help manage risks to the stability of, or confidence in, to the UK financial system posed by systemic third party concentration risk. The new legal regime enables HMT to designate third parties as CTPs if they meet certain criteria. It also gives the financial services regulators some new powers to oversee the resilience of the services these CTPs provide to the UK financial sector. The first set of designations are expected in early 2025.