On April 1, 2025, the UK government published the Cyber Security and Resilience Policy Statement (the “Policy Statement”), which details the UK government’s legislative proposals for the Cyber Security and Resilience Bill (the “Bill”), which was originally announced in July 2024. As explained in the Policy Statement, currently, the key legislation in the UK governing “cross sector” cybersecurity is the Network and Information Systems (NIS) Regulations 2018 (the “NIS Regulations”). The NIS Regulations were the pre-Brexit national implementation of the EU NIS Directive. The EU NIS Directive was recently repealed and replaced by the Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”). The Bill will propose amendments to the NIS Regulations, taking into consideration “insights” and “valuable lessons” from the EU on the implementation of NIS2. According to the Policy Statement, the Bill will “address the specific cybersecurity challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive. This strategic approach ensures…[the UK] can be flexible and responsive to cyber threats in a proportionate way that balances the impact on business.”
As detailed further in the Policy Statement, the Bill will include measures such as:
- Extending the scope of the NIS Regulations to include more entities. The Policy Statement details several ways in which the scope will be extended. For example, it explains how Managed Service Providers will be brought into scope given their “unprecedented access to clients’ IT systems, networks, infrastructure and data.” While subject to further drafting for the Bill, the Policy Statement defines a “managed service” as a service that:
- is provided to another organization (i.e., not in-house);
- relies on the use of network and information systems to deliver the service;
- relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications and/or IT networks, including for the purpose of activities relating to cybersecurity; and
- involves a network connection and/or access to the customer’s network and information systems.
The Policy Statement also sets out plans to extend the scope by strengthening supply chain duties for operators of essential services (an “OES”) and relevant digital service providers (an “RDSP”) through secondary legislation. Regulators will also be able to designate critical suppliers if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports. According to the Policy Statement, critical suppliers are expected to account for a “very small number and percentage of those suppliers providing goods or services” to an OES or RDSP.
- Empowering regulators and enhancing oversight. The Policy Statement details several proposals in this respect, including by:
- developing technical and methodological security requirements. While the UK National Cyber Security Centre (“NCSC”) Cyber Assessment Framework currently acts as a resource supporting certain organizations in assessing and managing cybersecurity, it is proposed that three principles and objectives will be established that will make it “essential for firms to follow best practice,” in turn making it “simpler for the regulators to oversee the requirements.” The Policy Statement also confirms that the technical standards and methods requirements of the NIS Regulations will be updated to bring them closer into alignment with NIS2.
- enhancing incident reporting requirements. The Policy Statement sets out how the Bill will update and enhance the current incident reporting requirements for regulated entities under the NIS Regulations by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting, and enhancing transparency requirements for digital services and data centres. For example, similar to NIS2, the Bill is said to introduce a two-stage reporting structure, which will require regulated entities to notify their regulator and also inform the NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours. The Policy Statement states the UK government intends “for this procedure to be similar to, and no more onerous than, the equivalent requirements under” NIS2.
- Improve information gathering powers of the UK Information Commissioner’s Office (“ICO”). In addition to being the UK data protection regulator, the ICO is the regulator for RDSPs under the NIS Regulations, regulating online marketplaces, search engines, and cloud services. Once the Bill is implemented, the ICO will also be the regulator for managed service providers. According to the Policy Statement, the Bill will enhance the ICO’s ability to gather information to assist it in determining the criticality of regulated digital services, including by expanding the duties on firms to share information with the ICO on registration and expanding the criteria for the ICO to use its existing power to serve information notices on firms.
In addition, the Policy Statement detailed other measures under consideration by the UK government, which may be included in the Bill or advanced under other legislation, such as:
- Bring data centres into scope of the regulatory framework. The Policy Statement explains that UK data centres that meet certain criteria will be subject to certain duties. This would include, for example, notifying and providing certain information, having in place appropriate and proportionate measures to manage risks and reporting significant incidents.
- Publish a statement of strategic priorities for regulators. The UK government is considering introducing a new power for the UK Secretary of State to publish a statement of strategic priorities to establish a unified set of objectives and expectations for the implementation of the regulations. Such a statement would be updated once every three to five years and be accompanied by a requirement for regulators to report annually on their progress against the objectives in the statement.
- New executive powers for UK government to enable swift and decisive action in response to cyber threats. The Policy Statement details two powers that the UK government is considering granting to the UK Secretary of State:
- The power to issue a direction to a regulated entity in relation to a specific cyber incident or threat, requiring the entity to take action to remedy the incident or threat. The UK Secretary of State would only be able to issue a direction where necessary and proportionate for reasons of national security; and
- The power to issue a direction to regulators on national security grounds, requiring them to exercise their functions to ensure that action is undertaken across their sectors. The power would only be used where necessary for national security and where the impact of a direction is deemed to be proportionate.
According to the press release on the Policy Statement, the Bill is to be introduced later this year.
Read the Policy Statement and Press Release.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- Age Appropriate Design Code
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Audit
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Behavioral Advertising
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cross-Border Data Transfer
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Deceptive Trade Practices
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Department of Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DORA
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Electronic Protected Health Information
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- European Union
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- Financial Data
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Geolocation Data
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- HIPAA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Louisiana
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- North Korea
- Norway
- Obama Administration
- OCPA
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Online Behavioral Advertising
- Online Privacy
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Profiling
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Sensitive Data
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code