In Summary: The Cyber Security and Resilience Bill, what it means and to whom

“We are facing unprecedented threats to our critical national infrastructure, posing a risk to UK citizens.”

At the dawn of a new financial year and following trends to regulate Operational Resilience in Global Financial Services sectors, the Department for Science, Innovation and Technology (DSIT) has outlined its response to increasing concerns over the resilience of critical government operations and public services¹.  A new policy statement in response to recent cyber threats, infrastructure vulnerabilities and geopolitical uncertainties will build on previous Network and Information Systems (NIS) frameworks to improve technology and operational resilience in the public sector and its critical supply chains. 

Who this policy affects

One of the most significant changes brought about by the Cyber Resilience Bill is the expansion of in-scope entities. If ratified, it will extend existing and introduce new requirements for firms associated with the delivery of UK national public services, including: 

• Government departments and agencies responsible for delivering essential public services.
• Private sector entities that provide critical infrastructure or outsourced services to the government.
• Regulatory bodies overseeing operational resilience and cybersecurity compliance.

The major shift here is the extension by association to private sector organisations, specifically but not exclusively extending to organisations that provide services such as:

• Managed IT services, 
• IT infrastructure and applications management, 
• IT remote support and systems integration and management (SIAM), 
• Managed security service providers (MSSPs), 
• Managed secure operations centres (SOC), 
• Security information and event management providers (SIEM), 
• Incident response and threat and vulnerability management providers, 
• Business process outsourcing

In summary, a large section of traditional IT outsourcers and SaaS providers are likely to fall into the scope of this Bill and be required to comply with stipulated measures. 

Bill highlights and measures 

• Introduction of enhanced incident response requirements: In-scope organisations must establish protocols for sharing incident details with the National Cyber Security Centre (NCSC). The aim is to increase the frequency, monitoring and transparency of risks and support service restoration. 
• Enhancing supply chain resilience risk management: As seen with DORA and FCA Ops Res regulations in the FS sector, government bodies and in-scope entities will be required to conduct enhanced due diligence on suppliers, including third-party risk assessments to identify and manage supply chain risk more effectively.
• Increasing Cybersecurity and Infrastructure protections: Strengthened cybersecurity standards will be enforced, with penalties for non-compliance available for enforcement. Expectations for failure testing, broader scenario planning and regular reporting will become critical. 
• Power of enforcement by the Secretary of State: The Secretary of State introduces new powers to direct regulators to advise their sectors to adopt more stringent cyber security measures where necessary for national security.

What happens next?

The Cyber Security and Resilience Bill will be taken forward to parliament in 2025. Further details on effective dates, final details and requirements for firms will subsequently be made available. 

Conclusion 

The reality is that these new regulatory requirements are likely to yield significant changes across the Public Sector technology landscape in the years ahead. Specifically, we can foresee major changes in procurement and operational processes, infrastructure, network and security architectures and investments, and an increase in senior-level focus on supply chain and technology resilience. 

Don’t get caught out; resilience transformation takes time and involves a multi-disciplined response across Risk, IT, Security and Sourcing. Now is the time to prepare, check out existing Operational Resilience and DORA measures in FS, talk to cross-industry peers and start building a plan to transform your end-to-end supply chain resilience position. 

Talk to us at Airwalk Reply, we are experts in Operational Resilience Learn more 

¹ Cyber Security and Resilience Bill - GOV.UK