The UK government has set out proposals for the Cyber Security and Resilience Bill, which is due to be brought before parliament later this year.
Under the bill, firms providing essential IT services to public services and the wider economy will be required by law to meet robust cyber-security standards.
These firms will also be required to provide a greater range of risk assessments to help identify potential threats.
If successful, cyber attacks can have devastating effects on government organisations and public services, and the citizens who rely on them.
According to the government, cyber threats cost the UK economy almost £22bn a year between 2015 and 2019.
This was seen in June 2024 when a cyber attack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. The government revealed this attack cost an estimated £32.7m.
A University of Cambridge study has found that a hypothetical cyber attack focused on key energy services in the south-east of England could wipe over £49bn from the wider UK economy.
In the year to September 2024, the National Cyber Security Centre (NCSC) has said it managed 430 cyber incidents, including 89 classed as nationally significant.
Amid these growing threats, the government said the new bill will ensure the vital infrastructure and digital services the country relies on are more secure than ever.
If the proposals are adopted it will mean that data centres, managed service providers and critical suppliers will need to meet robust cyber-security requirements.
Under the bill, new protections are also being considered for more than 200 data centres, which in September 2024 the government elevated to critical national infrastructure status.
The government said it is also exploring additional measures to ensure an effective and rapid response to new cyber threats. This includes giving regulators more power in monitoring the cyber defences of critical service providers, with the requirement that companies report more incidents to build a clearer picture of cyber threats.
The bill would also grant powers to technology secretary Peter Kyle to direct regulated organisations to shore up their defences amid the ever-changing cyber landscape.
Kyle said: “Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services that will deliver that growth is non-negotiable.
“The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world, giving us the power to protect our services, our supply chains and our citizens – the first and most important job of any government.”
Richard Horne, CEO of NCSC, said: “It is a pivotal step toward stronger, more dynamic regulation – one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.”
The bill has been largely welcomed by industry; however, issues have been raised concerning skills.
Andrew Rose, CSO at security awareness company SoSafe, said: “It is encouraging to see the government set out legislative plans to become the most secure economy globally. While it is positive to see a crackdown on security measures, supply chains, reporting and regulation, it is essential that the government addresses the elephant in the room – that most cyber attacks target human vulnerabilities rather than technological ones.
“Training and educating staff must be a priority. The importance of providing your first line of defence – your people – with the necessary tools and knowledge to deter criminals should not be underestimated by both the government and businesses.”
Jayne Black, digital futures policy manager at the Institution of Engineering and Technology, said: “It is increasingly important that the UK keeps ahead of emerging threats and has a robust and resilient cyber-security sector, led by best practice in government. This includes upskilling and reskilling as appropriate to recognise vulnerabilities in new technology.
“The UK should also look to harmonise legislation in this area with international benchmarks to ensure it supports global businesses to protect themselves against attack.”