In a recent update from the Secretary of State for the Department for Science, Innovation and Technology (found here, Cyber security and resilience policy statement – GOV.UK), the UK Government has started to address some of this anticipation, dropping clues as to how the CS&R Bill will look when compared to its European cousin. So, what have we learnt about the Bill and its alignment with NIS2?

Expanded scope

In addition to the current in-scope sectors (energy, transport, health, drinking water supply and distribution, and digital infrastructure, as well as some digital services such as online marketplaces, search engines and cloud computing), the policy statement confirms the intention to bring Managed Service Providers (“MSPs“) within the remit of cyber security regulation, subjecting them to the same duties as ‘relevant digital service providers’ under the current NIS regulations. MSPs (also regulated by NIS2) are B2B services that provide IT systems, infrastructure and network support.

The Government also demonstrated its commitment to bolster supply chain security for operators of essential services (“OES“) and relevant digital service providers (“RDSPs“) that meet certain thresholds. Secondary legislation is intended to be used as a vehicle for imposing stricter duties on contractual requirements, security checks and continuity plans in an effort to target underlying cyber vulnerabilities in supply chains echoing, if not exceeding the requirements of NIS2 to ensure cybersecurity controls extend to the supply chains of in-scope entities. Additionally, regulators will have the power to identify suppliers of critical services (including SMEs) whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers” (“DCS“), bringing them within scope of core security requirements and reporting obligations.

While expansion of the UK’s cybersecurity regime to include MSPs and critical supply chains will bring us one step closer to the reforms sweeping EU nations, it is unclear whether the UK will follow Europe in expanding the scope of cyber regulation to include sectors such as public administration entities, space, manufacturing, food production and postal and courier services (to name but a few).

Regulatory reinforcement

Perhaps amongst the measures most easily associable with the CS&R Bill’s European counterpart will be the updated incident reporting criteria. Incidents that are “capable of having a significant impact on the provision of essential or digital services and that significantly affect the confidentiality, availability, and integrity of a system” will need to be reported. This closely follows the requirements found in Art 23 of NIS2, as does the requirement that entities such as data centres and those providing digital services will be obligated to report incidents directly to customers in certain instances.

Equally alike in their resemblance to NIS2 are the reporting deadlines, with the relevant regulator and National Cyber Security Centre (“NCSC“) to be notified of significant incidents within 24 hours, and further incident reports to be provided within 72 hours. As the policy statement makes clear, “in practice [the Government] intends this procedure to be similar to, and no more onerous, than the… NIS2 directive“.

To provide some steer to regulators in their additional duties, the Government aims to issue a code of practice setting out guidance on minimum regulatory requirements which will put the existing NCSC Cyber Assessment Framework (CAF) profiles on a firmer footing and extend their scope to include OES. Particular focus is also given to the UK Information Commissioner (“ICO“) as a national guardian of cyber security, with a raft of seemingly familiar powers relating to registration and notice requirements, information sharing and enforcement, being introduced to support risk identification and mitigation. This all comes with a boost in financial means, as regulators will be able to set fees regimes and recover costs through various measures in order to contribute to financing their increase in regulatory work.

Measures to keep on your radar

Despite not confirming their inclusion in the CS&R Bill, the Government flagged upcoming measures to keep an eye on. Most notable would be the classification of data centres as an essential service, bringing them within scope of the regulatory framework and aligning with NIS2’s approach. This has been contemplated since their designation as Critical National Infrastructure in September 2024 and would aim to strengthen the level of consistency and protection across the sector.

Other contemplated measures include bolstered powers for the Secretary of State, allowing a Statement of Strategic Priorities to be issued as well as powers of direction relating to entities and regulators. Collectively, these would allow the Government to require certain actions be taken to address significant incidents and threats to national security.

Conclusion

In summary, it is clear that the Government’s planned amendments to the current NIS Regulations will make clear and decisive steps to bridge UK cyber laws and the new European NIS2 regime. However, the CS&R Bill does not appear to be following NIS2 in expanding the reach of its reforms to a raft of new industries. While Managed Service Providers are the biggest industry to whom new UK laws will apply, it is likely that many of the industries new to the NIS2 regime – for example food producers and chemicals manufacturers – will remain beyond the UK’s cyber reforms. Only time will tell whether that remains the case when the fully-formed Bill hits the statute books, the timing of which is still unclear.

From the little we do know however, it is evident that the burden and application of cyber regulation together with accompanying cyber certifications and industry standards will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Only then can businesses be ready for the inevitable swathe of new cyber regulation hitting UK shores, as well as the very real cyber threat it is all aimed at combatting.

1. Prepare your communications strategy in advance

A cyber incident can hit any organisation, regardless of size, at any time. The NCSC therefore advocates a proactive strategy ready to be deployed when required, to lessen the impact of the incident.

Steps to consider include:

• Identifying an official spokesperson for the organisation when communicating with stakeholders such as the media, customers and employees.
• Identifying key stakeholders ahead of time. Who needs to be informed, and how will this be achieved (bearing in mind that usual channels may be unavailable)?  
• Drafting and agreeing pre-approved templates for communications. Whilst no one size will fit all, this can include style media requests, internal updates to staff and notifications to customers, to be tailored as necessary. Drafting these templates ahead of time will save time and ensure the organisation is speaking with a unified voice.

The NCSC highlights the importance of regular testing of the strategy, through tabletop exercises and simulations, to ensure its effectiveness and identifying any areas for amendment or improvement.

2. Communicate clearly and tailor your messaging where necessary

The NCSC states that communications should be ‘clear, consistent, authoritative, accessible and timely’. It is also important that any communications released before, during or after a cyber security incident inform stakeholders whilst also maintaining reputation and credibility. Factors to consider include:

• Information to stakeholders needs to be clear, but balanced to ensure that information is not disclosed that may heighten any risk to the victim, or which runs the risk of requiring later retraction as the incident develops. It is essential to ensure the communication strategy suits key stakeholders, and that specific concerns of each group are addressed.
• The impact of the incident should be reflected in communications to those who suffer consequences, with acknowledgment of the practical consequences as opposed to focussing solely on technical detail.
• Development of a Q&A document should be an early priority in incident response: preparation of responses to common stakeholder queries in advance will enable consistency in response and provide assurances that communications address key and recurrent concerns.

3. Manage the aftermath

Finally, NCSC guidance urges organisations to think about the long term. Whilst an immediate response in the aftermath of an incident will be the primary focus consider what the approach is going to be in the weeks and months after, depending on the recovery time. How regularly will you provide updates? How will any incident and subsequent responses be used to inform future preparedness and any lessons learned?

How can we help?

The NCSC guidance provides welcome direction on the expectations on organisations when preparing for and responding to cyber security incident. The key message – in keeping with any cyber resilience strategy is to prepare ahead of time. Increasingly, we are seeing regulators, customers, and other stakeholders taking interest in the controls and procedures that were in place prior to any cyber incident and their fitness for purpose.

Taking time long before the “white heat” of any incident to design, deploy and ensure the continued fitness for purpose of response plans, including communications, is time well spent.

Should you wish to discuss communications response plans, table top exercises, or any other aspects of cyber resilience planning, then please do not hesitate to contact us.

But in the UK, we are not alone in recognising cyber as one of the most significant threats of our age. In the recitals to NIS2, the EU Commission notes that the “number, magnitude, sophistication, frequency and impact of incidents are increasing and present a major threat to the functioning of network and information systems” with the result that they “impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society“. The EU’s response was to enact a bolstered NIS2 which significantly expands the number of entities directly in scope; includes a focus on supply chains; enhances the powers of enforcement and supervision available to local authorities; steps up incident reporting obligations; and imposes ultimate responsibility for compliance at a senior management level. With DORA, the EU adds another layer of regulation, trumping the requirements of NIS2 for the financial services sector.

So how will the UK’s new Bill compare? Our article looking at the initial indications released by Government to try and answer that question is available here.