The United Kingdom has introduced new legislation intended to strengthen cybersecurity for hospitals, energy systems, water supplies and transport networks, in response to risks linked to annual damages of nearly £15 billion ($19.6 billion). The measure is presented as a major update to how the state protects essential services and digital supply chains, and is titled the Cyber Security and Resilience Bill.
The bill builds on existing rules in the Network and Information Systems (NIS) Regulations 2018 and was introduced in Parliament on November 12. Ministers describe it as a fundamental overhaul of Britain’s approach to protecting essential services from growing cyber threats.
Under the proposal, medium and large IT management, help desk and cybersecurity service providers would be required to meet mandatory security standards for the first time. These managed service providers must also maintain incident response plans and report significant cyber incidents to the National Cyber Security Centre and their regulator within 24 hours, with full reports due within 72 hours, and regulators would be able to designate critical suppliers to address supply chain vulnerabilities, the government said.
The Technology Secretary would gain powers to direct regulators and organisations such as water companies and NHS trusts to take actions including enhanced monitoring or system isolation where national security is at risk. The bill would introduce turnover-based penalties for serious breaches and extend protections to data centres and organisations managing smart energy infrastructure such as electric vehicle charging points.
Independent research cited by the government finds the average “significant cyberattack” in the UK costs more than £190,000, adding up to roughly £14.7 billion a year, about 0.5% of GDP. The disruption to manufacturers such as Jaguar Land Rover has been described as among the costliest, with estimated damages of at least £1.9 billion, as described in media reports, and the Office for Budget Responsibility has warned a major attack on critical infrastructure could push temporary government loans above £30 billion.
Separately, government and industry measures referenced alongside the bill include commitments by mobile carriers to tighten controls on spoofed numbers and earlier plans to ban critical infrastructure and public sector organisations from paying ransoms after ransomware incidents.