In the King’s Speech it was announced that further details would follow about the CSR Bill, and it looks like we now have the confirmed and proposed measures:
Cyber Security and Resilience Bill: policy statement – GOV.UK
These have been proposed by both MPs and the Department for Science, Innovation and Technology (DSIT) and backed by the NCSC:
Cyber Security and Resilience Policy Statement to… – NCSC.GOV.UK
The bill looks to enhance the Network and Information Systems (NIS) 2018 Regulations:
The NIS Regulations 2018 – GOV.UK
Which was aimed at providing legal measures for improving the security (both physical and cyber) of IT systems for the provision of digital and essential services (online marketplaces, online search engines, cloud computing services) and essential services (transport, energy, water, health, and digital infrastructure services). Twelve regulators were identified as responsible for enforcing those regulations.
The major policy proposals and changes being introduced with the CSR not only increase the number of entities covered by NIS 2018, but also enhances the powers of these regulators, whilst aligning the UK, where appropriate with the approach taken in the EU’s NIS 2 directive:
Directive – 2022/2555 – EN – EUR-Lex
The UK government has laid out potential changes to its cyber security policy, aiming to bolster the nation’s resilience against evolving digital threats. These proposals encompass a range of measures designed to broaden the scope of regulation, strengthen supply chain security, and empower regulatory bodies. Here’s a breakdown of the key elements under consideration:
A significant aspect of the proposed changes involves bringing more entities under the umbrella of cyber security regulations.
The proposals also place a strong emphasis on securing the digital supply chain.
The proposed policy aims to equip regulatory bodies with greater authority and tools to effectively oversee cyber security practices.
The policy acknowledges the dynamic nature of cyber threats and the need for adaptability.
Beyond the core elements, the proposed bill also includes additional measures that may be incorporated later, depending on legislative opportunities:
These proposed policy changes represent a significant step towards strengthening the UK’s cyber resilience in an increasingly complex digital landscape. Businesses and organizations across various sectors should pay close attention to the development and implementation of this legislation.
As can be seen above, the bill will affect several entities, we have tried to summarise this into the following table:
Entity Type | Definition / Characteristics | Role & Obligations |
Managed Service Providers (MSPs) | – Provide services to other organisations (not in-house) – Rely on network/information systems – Involve ongoing IT system management or monitoring – Have network access | – Newly regulated – Same duties as RDSPs – Must follow cyber security and incident reporting requirements |
Relevant Digital Service Providers (RDSPs) | – Digital services like online marketplaces, search engines, cloud providers | – Already regulated under NIS 2018 – Subject to enhanced incident reporting and transparency duties |
Small & Micro RDSPs | – Smaller digital service providers currently exempt | – May be regulated if designated as a Critical Supplier |
Operators of Essential Services (OES) | – Organisations providing essential national services | – Existing regulation under NIS – Will have new duties to manage supply chain risk |
Designated Critical Suppliers (DCS) | – Supplier to OES or RDSP – Disruption could significantly affect service – Relies on IT/network systems – Not regulated elsewhere | – Will be brought under regulation – Must meet security and incident reporting standards |
Data Centres (Proposed) | – Facilities hosting data infrastructure – Thresholds: ≥1MW capacity (general), ≥10MW (enterprise) | – Expected to be included – Duties include registration, risk management, and incident reporting |
Regulators | – ICO and sector-specific bodies | – Enforce the regulations Gain stronger powers for oversight, cost recovery, and cyber threat monitoring |
Ultimately, the impact of the CSR will be wide-ranging. It will seek to provide stronger protection of critical services, enhance supply chain security, improve regulatory oversight and capabilities, improve incident response, provide regulator flexibility and some futureproofing, and improve national security and government readiness. The cost for businesses which have not previously fallen under these requirements, both in meeting these new obligations and in complying with them, will be high. However, when compared to the cost of a breach and disruption to these services, not just to the organisation but to the wider supply chain and country will be significantly higher.
Prism Infosec’s cybersecurity services, already work with several regulated industries and regulators, if you would like to discuss this with us, please feel free to reach out.