This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
THE LENS
Digital developments in focus
All Posts
| 4 minute read

CSRB finally published – how will this new cyber law affect you?

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

The UK’s cyber threat is on the rise. From headlines about major breaches at household names, to stark NCSC statistics (including a 50% surge in significant incidents) and urgent warnings from the UK Government, the message is clear.

Against this backdrop, the UK Government is strengthening its cyber laws for critical services. On 12 November, it published the Cyber Security and Resilience Bill (CSRB), which will update the Network and Information Systems (NIS) regime that has been in place since 2018. Meanwhile, the EU has already taken similar steps: its updated NIS2 legislation has been in force since January 2023 (see blog).

CSRB Overview

The CSRB will:

  • Expand the remit of the regulation to protect more digital services and supply chains. For example, it will bring managed service providers (MSPs), data centres and large load controllers (i.e. those managing electrical load for smart appliances) in scope. It will also enable regulators to bring other critical service providers ( - the most important suppliers to essential and digital services) in scope.
  • Put regulators on a “strong footing to ensure essential cyber safety measures are being implemented.” This includes potential cost recovery mechanisms to provide resources to regulators like the Information Commission. It will also enable them to proactively investigate potential vulnerabilities.
  • Increase incident reporting to give the Government better data on cyber attacks. The Bill introduces a 24 hour initial notification obligation which will be triggered by incidents “capable of having an adverse effect” (a lesser hurdle than the current rules which require there to be an actual adverse effect). The CSRB also details what information must be included in the notifications. We know from the discussions around the CSRB, and also the Government’s new ransomware proposals (see blog) that there is a real drive in Government and the NCSC to gather more intelligence around attacks to help it improve its understanding of the threat landscape.

The changes it introduces are, however, not as far reaching as those introduced under the EU’s NIS2. For example. The CSRB does not:

  • Include specific security requirements. NIS2 sets out a list of minimum security requirements. While the CSRB requires organisations to have appropriate and proportionate security measures in place, the details around what that security looks like are left for secondary legislation and/or guidance.
  • Introduce management body style NIS2 liability (see our article for details on the NIS2 requirements).
  • Expand the regime to as many new sectors as NIS2. While NIS2 added 11 new sectors, the CSRB is currently only focussed on three new sectors (see above). NIS2 sectors like manufacturing, food distribution, space and postal are not currently included.
  • Include the Government’s proposed new ransomware rules (see blog). The UK Government has previously stated that it will push ahead with plans to introduce a targeted ban on ransomware payments alongside ransomware prevention and notification schemes, but the details on this are not in the CSRB.

Comment

This update to the UK’s NIS regime has been on the cards for some time now and we already knew, from a statement released in April (see blog), what many of the changes would look like. But what will it mean in practice?

  • For those already in scope of the current NIS rules, processes will need to be changed to manage revised security and notification obligations (including being ready to provide an initial incident report within 24 hours).
  • For those who the CSRB brings in scope for the first time, again changes will be needed to manage new security and notification obligations and ensure these work alongside existing GDPR processes.
  • For organisations who use managed service providers and/or data centres, the CSRB aims to strengthen supply chain resilience. It brings key supplier's in scope of the UK’s cyber rules, which may impact the contractual protections sought by those customer organisations.

Table of sectors:

Current UK NIS ScopeAdditional sectors introduced by the CSRB

Operators of essential services: 

  • Energy – electricity, oil, gas – e.g., energy suppliers and electricity transmission and distribution
  • Transport – rail, air, maritime, road – e.g., air traffic control, traffic management and rail signalling
  • Health – including NHS trusts, integrated care boards and independent providers
  • Drinking water – water companies – e.g., water treatment and purification, and distribution
  • Digital infrastructure – including internet exchange points and domain name system providers

Some digital services, including:

  • Online marketplaces, online search engines and cloud computing services
     
  • Data centres: Data centres are critical to nearly all economic activity and public services. Data centres will be classed as essential services, and data infrastructure as a NIS sector. Medium and large data centres and enterprise data centres meeting the thresholds will be required to have appropriate and proportionate measures in place to manage risks. The Department for Science, Innovation and Technology (DSIT), and Ofcom will act as joint regulators, with Ofcom serving as the operational regulator.
  • Managed service providers. Many companies now outsource their IT services to managed service providers, who may provide IT helpdesks and cyber security services. They have unprecedented access to their customers’ systems, making them an attractive target that cyber actors increasingly exploit. Medium and large managed service providers will be brought into scope. The Information Commission will be the regulator. The Government’s April statement on the Bill (see blog) did state that in-house IT teams would not be caught, although the Bill is less clear on this point. It instead defines a managed service as “A service which is provided by a person under a contract entered into with another person, (i.e. the customer), for the provision of ongoing management of information technology systems for the customer.”
  • Large load controllers. Load controllers are organisations managing electrical load for smart appliances, e.g., to support electric vehicle (EV) charging during peak times. Large load controllers will be brought into scope, reducing the risk of grid disruption.
  • Designated critical suppliers: Sometimes a supplier’s cyber vulnerability can severely affect vital public services. Like with the financial services sector’s critical third parties regime, regulators will be able to designate critical suppliers, bringing the most important suppliers to essential and digital services in scope. 
Modern Scales of Justice: Digital Icon for Legal Concepts..

Sign up to receive the latest insights. Click here to subscribe to The Lens Blog.

Tags

cyber, data, tech procurement and cloud

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

Get in touch

Avatar
Natalie Donovan
Head of Knowledge Tech and Digital

Latest Insights