New laws set to strengthen UK's cyber attack defences
UK hospitals, energy and water supplies, as well as transport networks, will be better protected from the threat of cyber attacks under new laws being introduced in Parliament today.
Image courtesy DSIT
Supporting the Plan for Change, the Cyber Security and Resilience Bill strengthens national security and protects growth by boosting cyber protections for the services that people and businesses rely on every day.
In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK’s transport services moving – while making sure those who supply our vital services have tougher cyber protections.
These proposed laws would cover certain digital and essential services including healthcare, transport, energy and water. Under the proposals:
medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences
regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they’d have to meet minimum security requirements – shutting down gaps in supply chains criminals could exploit which could cause wider disruption
enforcement will be modernised, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing. That is because companies providing taxpayer services should make sure they have tough protections in place to keep their systems up and running
the Technology Secretary gets new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security. This includes requiring that they beef up their monitoring or isolate high-risk systems to protect and secure essential services
These are areas which could pose huge negative implications for the British economy and public services if targeted. The Office for Budget Responsibility (OBR) estimates that a cyber-attack on critical national infrastructure (CNI) could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of GDP.
New independent research published today shows the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7 billion a year across the economy - equivalent to 0.5% of the UK’s GDP.
Science, Innovation, and Technology Secretary Liz Kendall said: "Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.
"We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses and a faster national response when threats emerge."
National Cyber Security Centre CEO Dr Richard Horne said: "The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.
"As a nation, we must act at pace to improve our digital defences and resilience and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.
"Cyber security is a shared responsibility and a foundation for prosperity and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires."
National Chief Information Security Officer for Health and Care at Department of Health & Social Care, Phil Huggins said: "The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.
"The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.
"Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data and maintain trust in our systems in the face of an evolving threat landscape."
Earlier this year, the government published the Cyber Governance Code of Practice setting out clear steps organisations should take to manage digital risks and safeguard their day-to-day operations. Whilst it is for companies to ensure they have proper protections in place, the Bill targets those that will have the maximum impact on improving cyber resilience, bringing the services that retailers, hospitals, councils and others depend on into scope - raising their baseline protects thousands of businesses in the long-term.
Recent cyber-attacks on managed service providers clearly make the case for updated laws. In 2024, hackers accessed the Ministry of Defence’s payroll system via a managed service provider, while other recent attacks such as the Synnovis incident in the NHS resulted in over 11,000 disrupted medical appointments and procedures and some estimates suggesting costs of £32.7 million. This brings into sharp focus the impact cyber incidents can have on the public and our essential public services.
Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to help build a stronger national picture of cyber threats. If a data centre, or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers which are likely to be impacted promptly so organisations can act fast to protect their business, people and services.
Data centres keep the UK running, from patient records and payments to email services and AI development. The Bill will bring them into scope of the regulations, ensuring they meet robust cyber security standards.
New safeguards will also cover organisations that manage the flow of electricity to smart appliances like electric vehicle charge points and electrical heating appliances in homes. This will reduce the risk of disruption to consumers using smart-energy appliances, and the grid, bolstering the UK’s energy security.
The Bill represents a step change in how the government protects people in an increasingly dangerous world, supporting the National Security Strategy.
It will help to deliver greater economic stability, protect businesses and working people from the impact of cyber attacks and support further investment into the UK’s cyber security sector, which contributed £13.2 billion to the economy in the latest financial year.
It follows a recent letter from government ministers including the Technology Secretary, Chancellor and Business Secretary to business leaders and FTSE 350 firms, urging them to strengthen their cyber defences to face down the growing range of threats targeting the UK’s leading organisations.
Organisations can make use of the free guidance and tools available from the NCSC – including Cyber Essentials, Active Cyber Defence services and the Cyber Assessment Framework for the UK’s most critical organisations – to help improve their resilience.
Simon Sheeran, Head of Cyber Security Oversight at the UK Civil Aviation Authority said: "The aviation sector contributes billions of pounds to the UK economy and provides critical national infrastructure.
"This Bill will help improve?cyber defences essential for maintaining the already very high safety standards in aviation. ?
"The Civil Aviation Authority protect people and enable aerospace within a global eco-system and the need for aviation to defend as one is a national imperative."
Jill Popelka, CEO of Darktrace, said: "In an era where cybercriminals move faster, experiment freely and increasingly leverage AI to their advantage,?the Cyber Security and Resilience Bill is an essential piece of legislation. It will improve the UK’s defences, enabling businesses and public services to securely harness the opportunities provided by technology and innovation.
"We’ve seen cyber attackers increasingly target supply chains and managed service providers in recent years, including vital institutions like the NHS and the Ministry of Defence. It’s promising to see the Bill recognise the risk across the digital ecosystem. It’s also good to see the government’s focus on future-proofing the regulatory environment for cyber security and creating a stronger role for NCSC’s Cyber Assessment Framework. These changes will help give organisations more confidence to adopt new technologies while staying prepared for the next evolution in threats."
Julian David OBE, CEO of techUK, said: "TechUK welcomes today’s introduction of the Cyber Security and Resilience Bill to Parliament which signals the government’s ambition to modernise and future-proof the UK’s cyber laws while fostering the resilience that will underpin our economic growth. It marks a significant step forward in prioritising the security of our nation’s essential services. ?
"TechUK looks forward to continuing to engage with the government as the Bill makes its way through Parliament, to help ensure that the measures are fit for purpose, practically implementable and can deliver their intended outcomes, protecting the UK from a diverse range of threats and enabling organisations to harness the benefits that technology can offer."
Sarah Walker, Chief Executive, Cisco UK and Ireland said: "We welcome the government taking action to overhaul the UK’s cyber framework with the Cyber Security and Resilience Bill. This is a significant step in securing the UK against ever-increasing cyber threats.
"Our latest research shows the scale of the challenge ahead. Only 8% of UK organisations are classed as ‘Mature’ in their cybersecurity readiness. As AI reshapes both attack and defence, we need regulation that keeps pace with this changing threat landscape. We are looking forward to collaborating with the UK government and working with our international partners to continue securing the UK’s digital economy.
David Ferbrache, managing director at Beyond Blue, said: “The Cyber Security and Resilience Bill (CSRB) marks an important shift in how the government will address the cyber security and resilience of critical services in the UK, reflecting today's modern threat landscape and our increasing dependence on digital infrastructure.
"It’s been seven years since the NIS Regulations came into force, itself transposing an EU directive which is now nearly a decade old. Since that time our digital world has been transformed in ways the original authors of the regulations and EU directive they were based on, could not imagine.
"Digital infrastructure now underpins our modern society, supporting everything from utilities to public services to education to business. From the high profile attacks on car manufacturers and the retail sector, to the more insidious attacks against our telecommunications and energy sectors, we have seen cyber attacks grow in scale and significance.
"The CSRB is intended to be one part of the UK's response to such attacks, bringing new categories of digital infrastructure providers within the scope of regulation. For many years I have argued that managed service providers (MSPs) are at the heart of securing much of our economy. Many firms, small and large, depend on them for their IT maintenance, operation and security. Their security is paramount and if breached they can provide an attack vector into many client organisations, a fact which has not escaped cyber attackers who are increasingly exploiting supply chain attack tactics.
"Securing MSPs alongside initiatives such as the scale-up of NCSC's Active Defence Programme is vital to securing many SMEs, who often lack the skills and capacity to achieve the high levels of security we have come to expect from major corporates. Their survival is no less important to our economy.
"There will be challenges ahead in turning the bill into law, effective regulation and ultimately improved security and resilience. The bill is expected to bring some 1,500 organisations into the scope of regulatory oversight for the first time, a major extension of the scope of NIS - and one which covers MSPs, larger data centres and the suppliers to our most critical infrastructure. We will need to implement a regulatory model which is effective, scales and drives the right industry behaviour. No small ask of the ICO as the lead regulator for much of this, and a major extention from its core mission as our national data protection authority.
"The bill also mentions cyber security and resilience in its title - hinting at a more holistic approach to regulation, which goes beyond just protecting our infrastructure to considering how it can be resilient to cyber attack, responding and recovering quickly in a way which minimises business interruption and damage to customers and (as Jaguar Land Rover has shown us) suppliers too.
"The first reading of the bill has begun and much discussion is ahead of us, not least around powers for national security direction of regulators and firms. As we move into 2026, we can expect greater clarity on just how the principles of the bill will translate into expectations on firms. By that time, it will be safe to say the regulation will be much needed, and long overdue.
"We will look back in another decade and see how much our AI enabled world has changed from 2025, so lets be certain that the CSRB offers us the flexibility we need to future proof our regulatory response to the future."
Simon Phillips, CTO of Engineering at CybaVerse, said: “The proposed new laws will bring many more organisations under regulatory oversight, forcing them to improve their cyber defences or face significant financial penalties. This is an important step, because business leaders are far more likely to take action when they risk losing millions due to compliance failures.
"One of the biggest updates to the regulation is its coverage of MSPs.
"This is the first time MSPs have come under government regulatory oversight. It was proposed in the NIS 2022 update, but it was never enforced.
"Today, MSPs are highly interconnected with thousands of organisations across the UK, so they have a duty to ensure their own environments are secure.
"Otherwise, an incident on an MSP can have a cascading effect across all their customers.
"This was witnessed in last year’s Synnovis attack, when a ransomware incident on its environment rippled across to London hospitals. It’s been well over a year since this breach was first announced, but it’s investigations continue. Earlier this week, the NHS announced it would soon be informing impacted patients about the data that was compromised in the attack.
"This demonstrates the enduring impacts of attacks today.
"The government has also announced new research today which highlights the increasing costs of cyber attacks.
"These figures are continuing to rise and all business leaders should take note.
"Furthermore, the financial damage caused by attacks are not just immediate losses anymore. Today, they are also enduring, lasting for many months. This has been demonstrated by the attacks on JLR, the Co-op and M&S this year.
"It’s vital the UK gets ahead of these economy-blowing attacks, because as our reliance on digital keeps increasing, offering more opportunities for attackers to cause damage, things are only going to get worse.”
Ryan McConechy, CTO of Barrier Networks, said: “This regulation couldn’t come at a more pivotal time.
"The government’s statement today talks about keeping taps running and keeping the lights on. However, many citizens will struggle to see the link between running water, lighting and cyber, but in reality they are intrinsically interlinked.
"Digital underpins the critical services communities rely on, and when something happens to disrupt that digital infrastructure, whether due to a cyber attack or outage, then the impacts can reach the critical services.
"Just last week, a report from the Record revealed that hackers have launched five cyber attacks against Britain's drinking water suppliers since the beginning of last year. It doesn’t sound like these incidents had an impact on supplies but what if they had? The impacts could have ranged from changing chemical levels in water to shutting down supplies entirely.
"These types of life-threatening incidents are akin to a declaration of war, especially when tied to a state sponsored actor. While we haven't seen anything this severe happening yet, it is clear the government wants to get ahead of the threat, particularly as geopolitical tensions amplify.
"Overall, the Cyber Security and Resilience Bill will act as a catalyst to drive better security adoption across critical infrastructure, which is much needed, particularly in the face of growing threats from both cyber crime groups and state sponsored gangs.”
Graeme Gordon, CEO of Converged Solutions Group, said: "It’s a great step that the UK government is taking a proactive approach to cyber resilience.
"Tech and, by extension, cyber, are more embedded into our daily lives than ever. It was once easy to ignore some areas legislatively, but this is no longer tenable given the extent of the threat facing the country, both from criminals and state actors.
"The bill’s new emphasis on identifying key firms in supply chains, as well as key providers of technology allows the government to get a better picture of the state of resilience overall and also provides regulatory clarity to these firms, they’re going to be able to better understand their liability and they’re going to be able to adjust their practices accordingly.
"Moreover, the ICO will have strengthened powers to collect data from key firms and sectors, in an effort to tackle threats proactively. This will hopefully allow regulators to identify threats early and to collect more data from ongoing attacks, which will ultimately help improve our understanding of the threat landscape overall.
"Most of the economy is now dependent on tech in some form. The new bill’s focus on expanding the scope of prior legislation acknowledges this fact, and provides clarity which was previously lacking. It’s important that it faces a thorough and appropriate review, the UK can’t afford to lag behind legislatively. Threat actors and criminals certainly won’t."