As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.

1. Data center operators—among others—will now fall within scope of the NIS Regulations

At present, the NIS Regulations cover two types of covered entities—”operators of essential services” (“OESs,” including the main types of critical infrastructure, such as energy, transport, and water providers) and “digital service providers” (“DSPs,” specifically cloud computing, online search engines, and online marketplaces).

The Bill will expand the scope of the OES designation to cover providers of data center services that offer a rated IT load of more than 10 megawatts, and are provided “on an enterprise basis.” The Bill’s definition of “data centre service” broadly follows the equivalent definition in NIS2 but is more detailed; in essence, it covers the provision of data center space and supporting infrastructure (e.g., utilities and security infrastructure). This differentiates data centre providers from cloud computing providers, which are already regulated as a DSP under the NIS Regulations. (Note that the definition of a “cloud computing services” will also be amended)  The Secretary of State for Science, Innovation and Technology, along with Ofcom, will be the competent authority for regulating data center providers.

The Bill will also expand the scope of the NIS Regulations to cover:

  • “Large load operators” in the electricity sector as OESs; and
  • Managed service providers as a new category of operator with similar obligations to DSPs under the existing NIS Regulations. Interestingly, the definition of a “managed service provider” is more specific than the equivalent definition in NIS2. The Information Commission (which will soon replace the existing Information Commissioner’s Office) will be the competent authority for managed service providers.

2. More incidents will be reportable, and the Government reserves the right to impose more specific security requirements

At present, the NIS Regulations require OESs to report to competent authorities any incident that “has a significant impact on the continuity of the essential service which that OES provides” to its competent authorities, taking into account factors such as the number of affected users, the duration of the incident, and the geographical area affected. DSPs must report incidents that have a “substantial impact on the provision of” any of the digital services they provide. It’s fair to say, however, that authorities have not been overwhelmed: according to the Government’s impact assessment, in 2019, 2020 and 2021, there were only 13, 12 and 22 NIS incidents reported, respectively. The Government considers that this is because the definition of a significant incident has been too narrow.

The Bill will expand the types of incidents that are reportable, in some cases extending to incidents that have had or are likely to have a “significant impact” in the UK. Generally, reportable “incidents” will include incidents that are “capable of” creating adverse impacts—not just those that have an actual such effect. However, covered entities will need to review the definitions of incidents carefully to understand what is reportable, because there are slightly different thresholds for different categories of provider. For example, data center providers must report incidents that could have had, have had, are having or are likely to have, a significant impact on the operation or security of the network and information systems at issue, a significant impact on the continuity of the data center service, or any other significant impact.

In addition, the Bill will impose an obligation on OESs, DSPs, and managed service providers to notify customers that are likely to be “adversely affected” by the incident, taking into account the level of any disruption, any impact on that customer’s data, and any impact on their other systems.

Although the Bill does not set out new substantive security requirements on covered entities, it empowers the Government to impose such requirements, including for national security purposes.

3. The Bill attempts to address supply chain security for OESs by creating a new category of “critical suppliers”

The Bill would permit competent authorities responsible for overseeing OESs and DSPs to designate—subject to a consultation process—“critical suppliers,” i.e., individuals or organizations that rely on network and information systems to provide goods or services to an OES or DSP, for whom an incident would have the potential to cause disruption to the provision of an essential service that is likely to have a “significant impact on the economy or day-to-day functioning of society” in the UK.

As drafted, the Bill does not impose specific obligations on critical suppliers. However, such suppliers may, among other things, be the subject of directions from the UK Government to take steps in relation to the security of their services, or the subject of cybersecurity codes of practice from the Government. The Government has recognized that third-party service providers can create significant risks for OESs, DSPs, and managed service providers, and left itself flexibility to regulate further in the future.

In addition, organizations (or individuals) can be designated as critical suppliers by multiple competent authorities (e.g., if they provide services to OESs in multiple different sectors). In recognition of this, the competent authorities are required to coordinate with one another in relation to designation decisions.

4. Increased fines and enhanced powers for competent authorities

The headline is that the level of potential fines is significantly increased: the cap for the most serious infringements will be the higher of GBP 17m or 4% of the worldwide annual turnover of an undertaking. Ongoing infringements of requirements imposed by competent authorities can also be subject to daily penalty payments until they are rectified.

The Bill also empowers competent authorities to share information related to incidents among themselves, with law enforcement, with GCHQ, and with OESs, DSPs, managed service providers, and critical suppliers where necessary (although any such information sharing with private entities may not prejudice the security interests of others), and also with foreign competent authorities.

The Bill would also amend the NIS Regulations to set out in more detail the powers of competent authorities to demand information from covered providers, carry out inspections, and take enforcement action. Competent authorities are also empowered to charge covered entities to cover the costs arising from the exercise of the authority’s functions, subject to charging “schemes” that competent authorities may develop (subject to consultation with the organizations they regulate).

5. The UK Government will be empowered to take a more active role in cybersecurity regulation in the future

Parts 3 and 4 of the Bill establish a framework for the UK Government to set both the broad strategic direction for competent authorities’ oversight and enforcement of cybersecurity, and to impose more granular obligations on covered providers.

At a high level, and among other things, the Bill would:

  • require the Government to maintain a statement of its strategic priorities in relation to cybersecurity;
  • empower it to pass secondary legislation requiring certain organizations to take specific cybersecurity measures and/or to grant new powers to competent authorities;
  • as set out above, empower the Government to impose—in certain circumstances—specific cybersecurity requirements on all types of entities covered by the NIS Regulations, as well as other entities the Government chooses to designate. This includes a framework for imposing obligations on providers for national security purposes; and
  • empower it to issue codes of practice setting out more detail on the measures covered providers could take to comply with their obligations under the NIS Regulations.

*          *          *

The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on the NIS Regulations, NIS2, and other cybersecurity laws. If you have any questions about how the Cyber Security and Resilience Bill will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
Advising life sciences companies on industry-specific data privacy issues, including:

clinical trials and pharmacovigilance;
digital health products and services; and
engagement with healthcare professionals and marketing programs.

International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:

supervising technical investigations and providing updates to company boards and leaders;
advising on PR and related legal risks following an incident;
engaging with law enforcement and government agencies; and
advising on notification obligations and other legal risks, and representing clients before regulators around the world.

Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul MaynardEmail
Show more Show less