The UK Government is planning to bring more organisations, including managed service providers and critical suppliers, into the scope of the regulatory framework for cyber security.
The Department for Science, Innovation and Technology (DSIT) has published details of the new Cyber Security and Resilience Bill to be laid before Parliament, emphasising its importance to critical services including the NHS.
The policy statement on the bill highlights the need to strengthen cyber security in supply chains, which has been acknowledged as a major issue for the public sector and has prompted the publication of guidance by the National Cyber Security Centre (NCSC).
The bill will require managed service providers to comply with the Network and Information Systems (NIS) Regulations, placing them on the same footing as firms that provide digital services to protect a broader range of services from cyber attacks.
According to the policy statement this will cover between 900 and 1,100 managed service providers.
Critical suppliers
The bill will also introduce a power for regulators to identify and designate specific high impact suppliers as ‘designated critical suppliers’ and subject them to obligations comparable to those of operators of essential services and relevant digital service providers.
It will also require the two latter groups to manage supply chain cyber risks through measures such as contractual requirements, security checks and continuity plans.
These measures will be accompanied by giving the Government more flexibility to update regulatory frameworks when needed to respond to changing threats, and updating the incident reporting requirements for regulated organisations.
Secretary of State for Science, Innovation, and Technology Peter Kyle said: “Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.
“The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world - giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”
Real risks
Health and Social Care Secretary Wes Streeting said: “Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place.
“We are building an NHS that is fit for the future. This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our Plan for Change.”
The Government is also exploring additional measures to make sure it can respond effectively to new cyber threats. These include giving the Technology Secretary powers to direct regulated organisations to shore up their cyber defences, and new protections for more than 200 data centres.
Richard Horne, NCSC CEO, said: “The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare.
“It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.”
