The original law introduced duties for organizations in critical sectors to report cyber incidents to their regulators, but the thresholds for reportable incidents were based on the “interruption to the continuity of the essential or digital service” meaning that organizations had no duty to report compromises that involved pre-positioning or reconnaissance so long as the attacker didn’t disrupt the target system. “This will include the compromise of data confidentiality, spyware attacks that use firms that provide digital services (including [Managed Service Providers]) as a vector to access other organisations, or other incidents significantly affecting the integrity of a system,” stated the government. Presently, there is no mechanism for the government to issue directions to regulated entities to address cyber threats, “even where this is judged to be essential for safeguarding national security. The new legislation aims to complement a Home Office consultation proposing a major overhaul of how Britain responds to ransomware attacks, including by banning public sector bodies from making extortion payments and requiring all victims to report incidents to the government. In a policy statement published Tuesday, the British government set out what its forthcoming Cyber Security and Resilience Bill will include when it is introduced to parliament later this year. The new law will also “enable the government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP) in secondary legislation, subject to consultation,” announced the government. “In light of the rapidly evolving cyber threat and technology landscape, government must be able to update regulations to mitigate new risks and to capitalise on technological advancements,” stated the policy document. Regulated entities will have to notify their sector-specific regulator and inform the National Cyber Security Centre (NCSC) within the first 24 hours of becoming aware of an incident. Critically, the law will also introduce a new power for regulators to identify and designate “specific high-impact suppliers” — expected to account for “a very small number and percentage of those suppliers providing goods or services” — who will have to comply with the same kinds of standards as critical national infrastructure entities. The new measure would mean the government could issue a direction to a regulated entity regarding a specific cyber incident or threat. These directions “would be laid in Parliament to enable public scrutiny, unless doing so would present a national security risk," said the government. The belated reworking of the country’s cybersecurity regulations comes three years after the previous government had prematurely described those laws as “updated” while failing to actually introduce the legislation. A trial-run of a similar approach is already underway in the financial sector, where last year a group of some of the country’s largest banks pledged to incorporate Cyber Essentials — the government’s certification scheme — into their contractual supplier requirements. These will include not just Managed Service Providers (MSPs) but other cloud-based and digital services that form a critical part of many businesses’ supply chains.
This Cyber News was published on therecord.media. Publication date: Tue, 01 Apr 2025 15:00:10 +0000