The United Kingdom has introduced new legislation to boost cybersecurity defenses for hospitals, energy systems, water supplies, and transport networks against cyberattacks, linked to annual damages of nearly £15 billion ($19.6 billion).
The Cyber Security and Resilience Bill, introduced in the UK Parliament on November 12, builds upon the existing Network and Information Systems (NIS) Regulations 2018 and represents a fundamental overhaul of Britain's approach to protecting essential services.
It addresses growing threats that have led to major NHS disruptions, impacting over 11,000 medical appointments, and the compromise of the Ministry of Defence's payroll systems.
"Hospitals, energy and water supplies and transport networks will be better protected from the threat of cyber-attacks under new laws being introduced in Parliament today (12th November)," the Department for Science, Innovation and Technology said on Wednesday.
"In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK's transport services moving – while making sure those who supply our vital services have tougher cyber protections."
The bill requires medium and large IT management, help desk support, and cybersecurity service providers to comply with mandatory security standards for the first time. These managed service providers will also be required to have effective response plans in place and report significant cyber incidents to the National Cyber Security Centre (NCSC) and their regulator within 24 hours (with full reports due within 72 hours).
Regulators will be able to designate critical suppliers, such as healthcare diagnostic providers or chemical suppliers for water companies, mandating that they meet minimum security standards to address supply chain vulnerabilities.
The Technology Secretary will have the authority to direct regulators and organizations, such as Thames Water and NHS trusts, to take actions (e.g., enhanced monitoring, system isolation) when national security is threatened.
The new legislation also includes turnover-based penalties for serious breaches, making compliance more cost-effective than corner-cutting, and extends protections to data centers and organizations managing smart energy infrastructure, like electric vehicle charging points.
New independent research highlighted in the UK government's press release shows that the average "significant cyberattack" in the UK costs over £190,000, totaling roughly £14.7 billion each year, the equivalent of 0.5% of the country's GDP.
... continue reading