New Cyber Bill Aims to Keep ‘The Lights On and the Taps Running’

The UK Government has formally introduced the Cyber Security and Resilience Bill to Parliament as it moves to close vulnerabilities in the UK’s most vital public services and supply chains.

The new measures, said the Department for Science, Innovation and Technology (DSIT), are designed to “keep the taps running, the lights on and the UK’s transport services moving” amid a rising tide of digital threats.

For the first time, medium and large IT managed service providers (MSPs) that work with public sector bodies like the NHS will be brought under formal regulation.

Because these suppliers often have privileged access to government and critical national infrastructure systems, they will be required to meet strict security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and clients, and maintaining robust response plans to mitigate attacks.

Regulators will also gain new powers to designate “critical suppliers” to essential services such as healthcare diagnostics or water treatment chemicals. These suppliers would be mandated to meet minimum security standards, plugging potential vulnerabilities in national supply chains.

The Bill also proposes tougher, turnover-based fines for serious breaches. These, according to DSIT, ensure that “cutting corners is no longer cheaper than doing the right thing”.

Under the new framework, the Technology Secretary will be empowered to instruct regulators and operators, including NHS trusts, energy firms and water companies, to take action to prevent or contain cyber threats where national security is at stake.

This could include “beefing up monitoring” or isolating high-risk systems to protect critical operations, the department said.

The government’s independent fiscal watchdog, the Office for Budget Responsibility (OBR), has estimated that a major cyberattack on critical national infrastructure could temporarily increase borrowing by over £30 billion, or 1.1 percent of GDP.

‘Cyber Security is National Security’

Launching the Bill, Science, Innovation and Technology Secretary Liz Kendall said: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.

“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

The government pointed to a series of high-profile breaches to justify tougher rules. Earlier this year, hackers accessed the Ministry of Defence’s payroll system via an MSP. The Synnovis attack on NHS pathology systems led to more than 11,000 disrupted medical appointments and procedures, with costs estimated at £32.7 million.

Under the new Bill, organisations in scope will have to report major incidents within 24 hours to regulators and the NCSC, followed by a detailed report within 72 hours. MSPs and datacentres will also need to notify affected customers quickly if their systems are compromised.

Datacentres will also be brought into regulatory scope for the first time. The Bill also introduces safeguards for organisations managing electricity flows to smart appliances like electric vehicle chargers and smart heating, bolstering resilience in the energy grid.

Said Kendall: “This is about protecting our economy, our public services, and our people. It’s about ensuring the UK remains one of the safest places in the world to live and do business in the digital age.”