Updated 9:10BST, April 3 2025 with DSIT responses

Compelling critical infrastructure companies to boost their cyber resilience, swiftly changing cyber regulations, and regulating data centres are all on the UK’s government’s wish list of new powers in its long-awaited cybersecurity bill.

Described as an attempt to bolster cyber protections for key infrastructure, such as hospitals and energy suppliers, the Cyber Security and Resilience Bill proposals could see 1,000 service providers subject to new regulatory powers.

The measures will support “agile, pro-innovation regulation” according to Technology Secretary Peter Kyle, who said it was vital to support businesses and “recognise the unique threats that the UK faces now and the threats that we cannot yet predict in the decades to come.”

While the bill is not set to be introduced to parliament until later this year, the policy statement released by the Department for Science, Innovation and Technology (DSIT) provides best look at the details of the bill since it was announced shortly after the government came to power last year.

The proposals could bring more entities into the scope of the updated Network and Information Systems Regulations 2018 (NIS Regulations), with cybersecurity duties imposed on around 1,000 third-party Managed Service Providers and certain providers to be “designated critical suppliers”.

This could prove particularly impactful for smaller providers, which have previously avoided the 2018 regulations but could be brought under their purview if their services are deemed critical to the operation of an “essential or digital service.”

See also: NCSC lays out ten year roadmap to get UK.plc post quantum secure

An extended scope for regulations could also see data centres receive “proportionate regulatory oversight” according to the statement, following their designation as critical national infrastructure in September, DSIT told The Stack this would require data centres to meet a range of requirements on incident reporting, information sharing, and employee cyber security training.

Those covered by the new law would include UK data centres with a capacity of 1MW or above, or enterprise data centres with a 10MW capacity or greater, though the scope would be “adjustable over time”.

The government’s proposals could also see it given sweeping new powers through the Technology Secretary, who may be empowered to change cyber regulations without consulting parliament and direct organisations to “shore up their cyber defences.”

This would allow intervention to “protect networks where necessary for national security”, said the government, and could see organisations fined up to 10% of “relevant turnover” or £100,000 a day for breaching a security directive.

As to how the government came up with its proposals, DSIT said the measures are informed by similar international legislation, including the EU's NIS2 framework, and responses to two consultations done under the previous Conservative government.

DSIT told The Stack it would continue to engage with stakeholders as the proposed measures are developed further, before tabling the bill before Parliament later this year.

And the industry says…

While early reactions from the cybersecurity and IT services sector are widely supportive of what the government is trying to do here, one CTO described the bill as a "step in the right direction" but told The Stack the legislation could risk overwhelming businesses.

Bharat Mistry, Field CTO at cybersecurity company Trend Micro, said: "smaller businesses might find the new regulations overwhelming and confusing. They may struggle to understand and implement the required changes, leading to compliance challenges."

While Mistry said these challenges "could result in a significant burden for them, both financially and operationally", he also acknowledged the "wake-up call" regulations could give to businesses "slow to adopt comprehensive cybersecurity measures."

In a similar vein, Carla Baker, Senior Director of UK&I Government Affairs at network security firm Palo Alto Networks, said proposed powers should be used to jolt the public sector into action after multiple assessments deemed a number of civil service IT systems to be particularly vulnerable to attacks.

She said: “The government can no longer afford to sit on the sidelines and solely focus on pushing security obligations onto industry. Recent high profile public sector cyber attacks have demonstrated exactly why the government must do more to enhance its own resilience and lead by example. The time to act is now.”

Similarly, hardware cybersecurity solutions provider X-PHY said the proposals didn't go far enough and called for the government to support innovations in cyber resilience alongside regulations.

CEO Camellia Chan said: "It is crucial that organisations, IT providers and data centres proactively assess security gaps and address them with innovative and proven tools. CNI cannot afford to rely on traditional software security such as firewalls and VPNs."

The link has been copied!