The Department for Science, Innovation and Technology (DSIT) has unveiled a set of “tough new laws” designed to better protect hospitals, transport, energy and water supplies from cyber-attacks.
Under proposals for the Cyber Security and Resilience Bill, medium and large companies providing services like IT management, IT help desk support and cybersecurity to private and public sector organisations, including the NHS, will be regulated for the first time.
The government said that because they hold trusted access across critical national infrastructure and business networks, they will need to meet clear security duties, including reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences.
Regulators will be given new powers to designate critical suppliers to the UK’s essential services, like those delivering healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. These organisations will have to meet minimum security requirements, closing gaps in supply chains where bad actors could exploit and cause disruption.
The DSIT said that enforcement will be “modernised” with tougher turnover-based penalties for serious breaches so that “cutting corners is no longer cheaper than doing the right thing.”
The technology secretary will also gain new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber-attacks where there is a threat to UK national security. This will include a requirement for these organisations to improve monitoring and isolate high-risk systems to secure essential services.
The move comes as the Office for Budget Responsibility (OBR) estimates that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1 per cent of GDP.
Independent research published by the government on Wednesday also shows that the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7 billion a year across the economy, or 0.5 per cent of the UK’s GDP.
Recent attacks on public institutions have brought into sharp focus the impact cyber incidents can have across essential services.
In 2024, hackers accessed the Ministry of Defence’s payroll system via a managed service provider.
During the same year, a cyber-attack on NHS partner Synnovis led to over 11,000 disrupted medical appointments and procedures, with some estimates suggesting costs of £32.7 million.
“This legislation will enable us to confront those who would disrupt our way of life,” said technology secretary Liz Kendall. “I’m sending them a clear message: the UK is no easy target.
“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”
National Cyber Security Centre chief executive Dr Richard Horne said that the real-world impacts of cyber-attacks have never been more evident than in recent months.
“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services,” continued Horne. “Cybersecurity is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.”
The Bill launch comes after the government published the Cyber Governance Code of Practice earlier this year. The Code sets out clear steps organisations should take to manage digital risks and safeguard their day-to-day operations.
The DIST said that whilst it is for companies to ensure they have proper protections in place, the new legislation targets those that will have the maximum impact on improving cyber resilience.
Under the new rules, organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre within 24 hours, with a full report within 72 hours.
If a data centre, or digital and managed service provider faces a “significant or potentially significant attack”, they must quickly notify customers that are likely to be impacted so organisations can “act fast to protect their business, people and services.”
New safeguards will also cover organisations that manage the flow of electricity to smart appliances like electric vehicle charge points and electrical heating appliances in homes.
