In the much anticipated first King’s Speech of the new Labour Government on 17 July 2024, the monarch announced that the long anticipated Cybersecurity and Resilience Bill (CS&R Bill) would be amongst those new laws making their way onto Parliament’s schedule for the next year. Six years on from the implementation of the NIS Regulations 2018 (NIS Regulations) which, in common with our fellow EU Member States of the time, was based on the EU’s NIS1 Directive, the CS&R Bill recognises that the time is ripe for reform. While the NIS Regulations clearly took a step in the right direction to achieving a high level of cybersecurity across critical sectors, the new Bill recognises the need to upgrade and expand the UK’s approach to keep in step with an ever-increased cyber threat.
But in the UK, we are not alone in recognising cyber as one of the most significant threats of our age. In the recitals to NIS2, the EU Commission notes that the “number, magnitude, sophistication, frequency and impact of incidents are increasing and present a major threat to the functioning of network and information systems” with the result that they “impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society“. The EU’s response was to enact a bolstered NIS2 which significantly expands the number of entities directly in scope; includes a focus on supply chains; enhances the powers of enforcement and supervision available to local authorities; steps up incident reporting obligations; and imposes ultimate responsibility for compliance at a senior management level. With DORA, the EU adds another layer of regulation, trumping the requirements of NIS2 for the financial services sector.
So how will the UK’s new Bill compare? Our article looking at the initial indications released by Government to try and answer that question is available here.