Inside the UK Government's Cyber Security & Resilience Bill

The UK’s digital economy is vital to the nation’s success, underpinning technology and innovation, key infrastructure, businesses and essential public services.

But as a result of its importance, the technologies driving growth across these sectors are also increasingly vulnerable to attacks by cyber criminals.

In particular, hospitals, universities, local authorities and key institutions face a growing and complex range of threats. Recent cyber attacks affecting the UK Ministry of Defence and the National Health Service (NHS) demonstrated the potential severity of the attacks. 

In September 2024, the UK Government announced the Cyber Security and Resilience Bill to address these challenges. It is designed to protect essential digital services, update critical infrastructure and security frameworks, and make supply chains and energy services more secure. 

Building on this, the government has now set out the scope and ambition of the bill for the first time, detailing how it will boost the protection of critical national services including IT providers and introduce new measures to safeguard data centres. 

Secretary of State for Science, Innovation, and Technology, Peter Kyle, says: “The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world - giving us the power to protect our services, our supply chains and our citizens – the first and most important job of any government.”

Protecting critical businesses and services

Cyber threats cost the UK economy nearly £22bn per year between 2015 and 2019, causing significant disruption to businesses and the public. 

In the summer of 2024 Synnovis, a provider of pathology services to the NHS suffered a cyber attack that cost an estimated £32.7m and resulted in thousands of missed appointments for patients. 

Government figures also show that a hypothetical attack on key energy services in the South East of England could wipe over £49bn from the UK economy. 

As a result, the bill will boost defences for hospitals and energy suppliers and ensure that firms providing essential IT services are no longer an easy target for cyber criminals – 1,000 IT providers will form part of the initial measures set out. 

“Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place,” says Secretary of State for Health and Social Care Wes Streeting. 

“This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our Plan for Change.”

Action on critical infrastructure

The government will explore new ways in which it can respond effectively to cyber attacks against critical businesses and infrastructure, and how it can take action where necessary. 

This includes the ability to direct regulated organisations, typically from the industries such as finance and healthcare, to improve their cyber defences against new and existing threats. 

Data centres, crucial to UK innovation and underpinning the rollout of new technologies like AI, need increased protection. 

The government says the UK’s more than 200 data centres are “one of the main drivers of economic growth and innovation”, and that it will prioritise finding the best routes to ensure they are protected effectively.

Specifically on protecting businesses, the UK’s most recent iteration of its Cyber Security Breaches Survey highlights that 50% of British businesses faced a cyber breach or attack over the 12-month reporting period, with more than seven million incidents reported in 2024. 

Richard Horne, CEO of the National Cyber Security Centre (NCSC) says the bill is a landmark moment for improving cyber defences. “It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.

“By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Active Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges,” he adds.

Future-proofing UK security

The proposals set out in the bill build on other UK Government actions to boost cybersecurity. This includes development of a specific standard for protecting the nation’s AI systems from attack while unlocking its full potential, and measures to support relevant training and upskilling. 

If the policy proposals for the Cyber Security and Resilience Bill are adopted, businesses and their suppliers will need to meet more robust cybersecurity requirements, including data centres, managed service providers and critical suppliers. 

In addition, regulators will have greater scope to improve and monitor security and resilience in key areas, while mitigating ongoing weaknesses. 

Discussing the measures from an industry perspective, Carla Baker, Senior Director, Government Affairs UK&I at Palo Alto Networks says: “We welcome the announcement of the Cyber Security & Resilience Bill and the policy statement that was published today. Building the UK’s cyber resilience is crucial to the UK’s security and national interest. 

“Such a proactive stance helps the UK to not only safeguard its digital infrastructure, but also position itself as a global leader in cyber resilience, driving innovation, stimulating future economic growth, and reinforcing national security in the digital age.”

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today.

Cyber Magazine is a BizClik brand