Could not load a react component of type BlogArticlePage.
{
"contentLink": {
"id": 69563,
"workId": 0,
"guidValue": "bd4313b3-66bd-44c9-bd5f-feca59bc6a46",
"providerName": null,
"url": "https://www.freshfields.com/en/blogs/102d2rd/2025/4/get-ready-for-a-new-era-in-cyber-security-what-the-uks-forthcoming-cyber-law-me-102k92l/",
"expanded": null
},
"name": "Get ready for a new era in cyber security: what the UK's forthcoming cyber law means for you",
"language": {
"link": "https://www.freshfields.com/en/blogs/102d2rd/2025/4/get-ready-for-a-new-era-in-cyber-security-what-the-uks-forthcoming-cyber-law-me-102k92l/",
"displayName": "English",
"name": "en"
},
"existingLanguages": [
{
"link": "https://www.freshfields.com/en/blogs/102d2rd/2025/4/get-ready-for-a-new-era-in-cyber-security-what-the-uks-forthcoming-cyber-law-me-102k92l/",
"displayName": "English",
"name": "en"
}
],
"masterLanguage": null,
"contentType": [
"ArticleBase",
"CardBasePage",
"BaseSearchablePage",
"BasePage",
"PageData",
"ContentData",
"IRssPage",
"IClassifiableContent",
"Page",
"BlogArticlePage"
],
"parentLink": {
"id": 68163,
"workId": 0,
"guidValue": "c5f6128e-ed4a-4ab9-bdb4-3f0f1a35d685",
"providerName": null,
"url": "https://www.freshfields.com/en/blogs/102d2rd/2025/4/",
"expanded": null
},
"routeSegment": "get-ready-for-a-new-era-in-cyber-security-what-the-uks-forthcoming-cyber-law-me-102k92l",
"url": "https://www.freshfields.com/en/blogs/102d2rd/2025/4/get-ready-for-a-new-era-in-cyber-security-what-the-uks-forthcoming-cyber-law-me-102k92l/",
"changed": null,
"created": null,
"startPublish": "2025-04-22T09:32:04.59Z",
"stopPublish": null,
"saved": null,
"status": null,
"blogUrl": "https://technologyquotient.freshfields.com/post/102k92l/get-ready-for-a-new-era-in-cyber-security-what-the-uks-forthcoming-cyber-law-me",
"heading": "Get ready for a new era in cyber security: what the UK's forthcoming cyber law means for you",
"imageUrl": "https://images.passle.net/400x400/Passle/5677e7453d947406989fe60a/DefaultShareImages/2024-10-09-14-14-40-653-67068fd04b0991d61c5a66d7.jpg",
"tags": [
{
"name": "Blog",
"itemType": "ContentType"
}
],
"authors": [
{
"id": "102dbe3",
"authorName": "Giles Pratt"
},
{
"id": "102du7r",
"authorName": "Rhodri Thomas"
},
{
"id": "102gz2w",
"authorName": "Christine Simpson"
},
{
"id": "102hymc",
"authorName": "Adam Gillert"
}
],
"articleType": {
"id": 238,
"workId": 0,
"guidValue": "7f0f2c88-1ebf-4392-8b84-1df20424654e",
"providerName": null,
"url": "https://www.freshfields.com/globalassets/categories/content-type/blog/",
"expanded": null
},
"metaTitle": "Get ready for a new era in cyber security: what the UK's forthcoming cyber law means for you",
"mainBody": {
"html": "<p>The UK Government recently <a href=\"https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement\">published</a> a policy statement outlining the scope of its proposed Cyber Security and Resilience Bill. This is the latest in a series of actions by the Government regarding cyber security, following the <a href=\"https://www.gov.uk/government/news/data-centres-to-be-given-massive-boost-and-protections-from-cyber-criminals-and-it-blackouts\">designation of data centres as critical national infrastructure</a> in September last year, and its <a href=\"https://technologyquotient.freshfields.com/post/102k1em/ransomware-beware-government-launch-consultation-on-new-regime\">recent consultation on a new regime for ransomware</a>. The Bill’s aim will be to create a regulatory framework that can ’<i>keep pace and provide flexibility</i>’ and ensure regulators ’<i>have the right tools and the clarity of purpose</i>’ within the ever-evolving cyber threat landscape. </p><p>Below we outline the top seven changes the Bill is likely to bring, some of the key implications for businesses, related reforms the Government is considering, and likely next steps.</p><p><strong>What will it change?</strong></p><p>Currently, the only cross-sector cyber security legislation in the UK is the Network and Information Systems Regulations 2018 (the NIS Regs). The NIS Regs impose security duties on:</p><ul style=\"list-style-type: disc\"><li>those involved in delivering essential services covering five sectors (transport, energy, drinking water, health, and digital infrastructure) (so-called OES); and </li><li>certain digital services (online marketplaces, online search engines and cloud computing services) (so-called RDSPs).</li></ul><p>The Bill would update the NIS Regs, bringing more businesses into scope and aligning the UK regime more closely with the approach in the EU’s new NIS 2 Directive (NIS2) (see this <a href=\"https://technologyquotient.freshfields.com/post/102i9kb/the-eus-nis2-directive-key-aspects-for-businesses-to-consider\">previous blog</a>). It also proposes to strengthen the tools available to regulators in this area.</p><p>Key proposals include:</p><p><strong>1. Bringing managed services into scope</strong></p><p>The Bill will bring so called ‘Managed Service Providers’ (MSPs)<strong> </strong>that offer core IT services to businesses into the scope of the NIS Regs. Some examples of MSP services covered may include (among others): managed IT services, IT infrastructure and applications management, IT remote support and systems integration and management, managed security services, various other security, threat and incident response services and certain business process outsourcing. Although the precise definition of an MSP is yet to be confirmed, the policy sets out a working definition and estimates that the new obligations will impact around 900–1100 businesses. </p><p>Covered MSPs would be subject to the same duties as those currently providing digital services, and would be regulated by the Information Commissioner’s Office (ICO).</p><p><strong>2. Increasing duties for OES, RDSPs and their suppliers</strong></p><p>Secondary legislation will impose new duties on OES and RDSPs to manage cyber risks in their supply chains, such as new contractual requirements, security checks, and/or continuity plans. </p><p>Regulators would be able to designate specific suppliers to OES/RDSPs as ’designated critical suppliers’, bringing them under comparable obligations to OES and RDSPs. The Government anticipates this would be a ’<i>very small’ </i>number and percentage of suppliers to OES/RDSP, where failure or disruption to their services could have a <i>‘significant disruptive effect’ </i>on the provision of the OES or RDSP<i> </i>that it supports.</p><p>Regulators could also designate smaller RDSPs as critical suppliers (currently small and micro RDSPs are exempt from the NIS Regs).</p><p><strong>3. Updating the UK NIS Regs</strong> <strong>to more closely align with the EU’s NIS2, but keeping significant divergence</strong> </p><p>For example, to align more closely with the EU’s NIS2 regime, the Bill may:</p><ul style=\"list-style-type: disc\"><li>bring MSPs into scope (as explained above);</li><li>grant the Government new powers to set various technical and methodological security requirements (alongside a supporting code of practice); and</li><li>introduce closer alignment on incident reporting timelines (see below).</li></ul><p>However, it is clear the UK does not intend to simply copy the EU’s NIS2. Key aspects of the UK regime (including its scope, enforcement and terminology) will continue to diverge from the EU’s regime, which will complicate compliance for international businesses. </p><p><strong>4. Enhancing incident reporting</strong></p><p>Working in tandem with any reforms to the regime for ransomware (as discussed above), the Bill would:</p><ul><li>expanding the circumstances in which an incident is reportable to include those that are capable of having a significant impact on the provision of the OES or RDSP and incidents that significantly affect the confidentiality, availability and integrity of a system; and</li><li>introduce a two-stage reporting structure, which will require regulated entities to notify their regulator and the NCSC no later than 24 hours after becoming aware of an incident, followed by an incident report within 72 hours. Businesses providing digital services and data centres that experience a significant incident will also have to alert customers who may have been affected by the incident.</li></ul><p><strong>5. Extending the ICO’s information gathering powers</strong></p><p>This includes expanding the duty on RDSPs to share information with the ICO on registration, expanding the ICO’s scope to serve information notices on RDSPs, establishing information gateways for other entities outside the NIS Regs regime to share information with the ICO, and introducing enforcement powers where businesses fail to register with the ICO.</p><p><strong>6. Enhancing regulators’ cost recovery mechanisms</strong></p><p>The Bill will allow regulators to set up new fee regimes, allowing for fees to be levied as well as recovering costs via invoices. This reform may not only increase costs for impacted businesses, but also give regulators stronger resources - and hence capacity - to enforce. </p><p><strong>7. New powers to reform the regime without primary legislation</strong></p><p>The Bill will provide the Secretary of State with various powers to update the regulatory framework without requiring an Act of Parliament, subject to certain safeguards. The intent is to ensure requirements can be updated in line with technological changes, emerging threats, and lessons learned. Businesses should prepare to deal with a more rapidly evolving regulatory regime after the Bill becomes law.</p><p><strong>Other cyber reforms being considered by the Government </strong></p><p>The policy statement also mentions a number of additional areas where the Government is considering legislating, which may ultimately be addressed in the Bill. Among these are proposals to: </p><ul style=\"list-style-type: disc\"><li>bring data centres within the regulatory framework;</li><li>publish a statement of strategic priorities for regulators, on which regulators would provide annual updates; and</li><li>empower the Secretary of State to issue directions that require specific actions by regulated entities or regulators where threats affect national security.</li></ul><p><strong>Next steps</strong></p><p>There is currently no clear timeline for the Bill’s publication or introduction to Parliament. </p><p>However, the publication of this policy statement shows that significant development and preparatory work have been completed. Action in this sphere is a clear priority for the Government, and we anticipate a draft of the Bill will be published this year and potentially before Parliament’s summer recess.</p><input type=\"hidden\" id=\"passle-remote-hosting-tracking-shortcode\" value=\"102k92l\" />",
"structure": {
"type": "richText",
"children": [
{
"type": "paragraph",
"children": [
{
"text": "The UK Government recently "
},
{
"type": "link",
"url": "https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement",
"children": [
{
"text": "published"
}
]
},
{
"text": " a policy statement outlining the scope of its proposed Cyber Security and Resilience Bill. This is the latest in a series of actions by the Government regarding cyber security, following the "
},
{
"type": "link",
"url": "https://www.gov.uk/government/news/data-centres-to-be-given-massive-boost-and-protections-from-cyber-criminals-and-it-blackouts",
"children": [
{
"text": "designation of data centres as critical national infrastructure"
}
]
},
{
"text": " in September last year, and its "
},
{
"type": "link",
"url": "https://technologyquotient.freshfields.com/post/102k1em/ransomware-beware-government-launch-consultation-on-new-regime",
"children": [
{
"text": "recent consultation on a new regime for ransomware"
}
]
},
{
"text": ". The Bill’s aim will be to create a regulatory framework that can ’"
},
{
"text": "keep pace and provide flexibility",
"italic": true
},
{
"text": "’ and ensure regulators ’"
},
{
"text": "have the right tools and the clarity of purpose",
"italic": true
},
{
"text": "’ within the ever-evolving cyber threat landscape. "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Below we outline the top seven changes the Bill is likely to bring, some of the key implications for businesses, related reforms the Government is considering, and likely next steps."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "What will it change?",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Currently, the only cross-sector cyber security legislation in the UK is the Network and Information Systems Regulations 2018 (the NIS Regs). The NIS Regs impose security duties on:"
}
]
},
{
"type": "bulleted-list",
"list-style-type": "disc",
"children": [
{
"type": "list-item",
"children": [
{
"text": "those involved in delivering essential services covering five sectors (transport, energy, drinking water, health, and digital infrastructure) (so-called OES); and "
}
]
},
{
"type": "list-item",
"children": [
{
"text": "certain digital services (online marketplaces, online search engines and cloud computing services) (so-called RDSPs)."
}
]
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "The Bill would update the NIS Regs, bringing more businesses into scope and aligning the UK regime more closely with the approach in the EU’s new NIS 2 Directive (NIS2) (see this "
},
{
"type": "link",
"url": "https://technologyquotient.freshfields.com/post/102i9kb/the-eus-nis2-directive-key-aspects-for-businesses-to-consider",
"children": [
{
"text": "previous blog"
}
]
},
{
"text": "). It also proposes to strengthen the tools available to regulators in this area."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Key proposals include:"
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "1. Bringing managed services into scope",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "The Bill will bring so called ‘Managed Service Providers’ (MSPs)"
},
{
"text": " ",
"bold": true
},
{
"text": "that offer core IT services to businesses into the scope of the NIS Regs. Some examples of MSP services covered may include (among others): managed IT services, IT infrastructure and applications management, IT remote support and systems integration and management, managed security services, various other security, threat and incident response services and certain business process outsourcing. Although the precise definition of an MSP is yet to be confirmed, the policy sets out a working definition and estimates that the new obligations will impact around 900–1100 businesses. "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Covered MSPs would be subject to the same duties as those currently providing digital services, and would be regulated by the Information Commissioner’s Office (ICO)."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "2. Increasing duties for OES, RDSPs and their suppliers",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Secondary legislation will impose new duties on OES and RDSPs to manage cyber risks in their supply chains, such as new contractual requirements, security checks, and/or continuity plans. "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Regulators would be able to designate specific suppliers to OES/RDSPs as ’designated critical suppliers’, bringing them under comparable obligations to OES and RDSPs. The Government anticipates this would be a ’"
},
{
"text": "very small’ ",
"italic": true
},
{
"text": "number and percentage of suppliers to OES/RDSP, where failure or disruption to their services could have a "
},
{
"text": "‘significant disruptive effect’ ",
"italic": true
},
{
"text": "on the provision of the OES or RDSP"
},
{
"text": " ",
"italic": true
},
{
"text": "that it supports."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Regulators could also designate smaller RDSPs as critical suppliers (currently small and micro RDSPs are exempt from the NIS Regs)."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "3. Updating the UK NIS Regs",
"bold": true
},
{
"text": " "
},
{
"text": "to more closely align with the EU’s NIS2, but keeping significant divergence",
"bold": true
},
{
"text": " "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "For example, to align more closely with the EU’s NIS2 regime, the Bill may:"
}
]
},
{
"type": "bulleted-list",
"list-style-type": "disc",
"children": [
{
"type": "list-item",
"children": [
{
"text": "bring MSPs into scope (as explained above);"
}
]
},
{
"type": "list-item",
"children": [
{
"text": "grant the Government new powers to set various technical and methodological security requirements (alongside a supporting code of practice); and"
}
]
},
{
"type": "list-item",
"children": [
{
"text": "introduce closer alignment on incident reporting timelines (see below)."
}
]
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "However, it is clear the UK does not intend to simply copy the EU’s NIS2. Key aspects of the UK regime (including its scope, enforcement and terminology) will continue to diverge from the EU’s regime, which will complicate compliance for international businesses. "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "4. Enhancing incident reporting",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Working in tandem with any reforms to the regime for ransomware (as discussed above), the Bill would:"
}
]
},
{
"type": "bulleted-list",
"children": [
{
"type": "list-item",
"children": [
{
"text": "expanding the circumstances in which an incident is reportable to include those that are capable of having a significant impact on the provision of the OES or RDSP and incidents that significantly affect the confidentiality, availability and integrity of a system; and"
}
]
},
{
"type": "list-item",
"children": [
{
"text": "introduce a two-stage reporting structure, which will require regulated entities to notify their regulator and the NCSC no later than 24 hours after becoming aware of an incident, followed by an incident report within 72 hours. Businesses providing digital services and data centres that experience a significant incident will also have to alert customers who may have been affected by the incident."
}
]
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "5. Extending the ICO’s information gathering powers",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "This includes expanding the duty on RDSPs to share information with the ICO on registration, expanding the ICO’s scope to serve information notices on RDSPs, establishing information gateways for other entities outside the NIS Regs regime to share information with the ICO, and introducing enforcement powers where businesses fail to register with the ICO."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "6. Enhancing regulators’ cost recovery mechanisms",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "The Bill will allow regulators to set up new fee regimes, allowing for fees to be levied as well as recovering costs via invoices. This reform may not only increase costs for impacted businesses, but also give regulators stronger resources - and hence capacity - to enforce. "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "7. New powers to reform the regime without primary legislation",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "The Bill will provide the Secretary of State with various powers to update the regulatory framework without requiring an Act of Parliament, subject to certain safeguards. The intent is to ensure requirements can be updated in line with technological changes, emerging threats, and lessons learned. Businesses should prepare to deal with a more rapidly evolving regulatory regime after the Bill becomes law."
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Other cyber reforms being considered by the Government ",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "The policy statement also mentions a number of additional areas where the Government is considering legislating, which may ultimately be addressed in the Bill. Among these are proposals to: "
}
]
},
{
"type": "bulleted-list",
"list-style-type": "disc",
"children": [
{
"type": "list-item",
"children": [
{
"text": "bring data centres within the regulatory framework;"
}
]
},
{
"type": "list-item",
"children": [
{
"text": "publish a statement of strategic priorities for regulators, on which regulators would provide annual updates; and"
}
]
},
{
"type": "list-item",
"children": [
{
"text": "empower the Secretary of State to issue directions that require specific actions by regulated entities or regulators where threats affect national security."
}
]
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "Next steps",
"bold": true
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "There is currently no clear timeline for the Bill’s publication or introduction to Parliament. "
}
]
},
{
"type": "paragraph",
"children": [
{
"text": "However, the publication of this policy statement shows that significant development and preparatory work have been completed. Action in this sphere is a clear priority for the Government, and we anticipate a draft of the Bill will be published this year and potentially before Parliament’s summer recess."
}
]
},
{
"type": "input",
"_type": "hidden",
"id": "passle-remote-hosting-tracking-shortcode",
"value": "102k92l",
"children": [
{
"text": ""
}
]
}
]
}
},
"passlePostId": "102k92l",
"passleShortCode": "102d2rd",
"metaDescription": "The UK Government recently published a policy statement outlining the scope of its proposed Cyber Security and Resilience Bill. This is...",
"openGraphType": "website",
"cardTitle": "Get ready for a new era in cyber security: what the UK's forthcoming cyber law means for you",
"cardDescription": {
"html": "The UK Government recently published a policy statement outlining the scope of its proposed Cyber Security and Resilience Bill. This is...",
"structure": {
"type": "richText",
"children": [
{
"text": "The UK Government recently published a policy statement outlining the scope of its proposed Cyber Security and Resilience Bill. This is..."
}
]
}
},
"theme": "Default",
"category": [
{
"id": 238,
"name": "Blog",
"description": null
}
],
"breadcrumb": []
}