UK Cyber Security and Resilience Bill will be both similar and different to the EU's NIS 2

Details have now emerged of the UK government's new Cyber Security and Resilience Bill (CSRB) allowing businesses to make first steps to prepare for its introduction ahead of the publication of the full text. With an eye also on other cyber standards and requirements and interim compliance measures, such as the EU's ongoing compliance programmes for its NIS 2 cybersecurity legislation, UK businesses can start to incorporate these latest developments into their approach to compliance.

The UK government previewed the contents of its new CSRB with a policy statement released on 1 April, with the legislation intended to strengthen the cyber resilience in sectors deemed critical for the UK and its economy.

Many UK businesses are now looking to assess whether they could be in scope of the new law and, ahead of the release of the full text of the bill, whether the information provided in the policy statement at this stage warrants further action. There will also be a focus across UK organisations on whether the CSRB fits into the broader patchwork of cyber regulation and standards that may apply to their businesses. 

What will the CSRB do? 

The CSRB will "make crucial updates" to the Network and Information Systems (NIS) Regulations 2018 – the UK’s existing and only cross-sector cyber legislation. The updates will expand the scope of UK cyber law, increasing the number of businesses affected and imposing on them additional and more granular obligations. 

The policy statement makes clear that the CSRB will align, where appropriate, with the approach taken in EU Directive 2022/2555, known as NIS 2, which suggests that businesses may have some opportunity to utilise compliance measures already being implemented to adhere to that law.

In contrast to NIS 2, which replaced NIS 1 (Directive 2016/1148) in the EU, the CSRB appears to update rather than replace the UK NIS Regulations. UK lawyers will have to wait and see if they will need to continue to cross-refer to two fairly complex pieces of legislation – the UK General Data Protection Regulation and the Data Protection Act 2018 – and the extent to which existing standards and guidance remain relevant in their current form.

These would include the National Cyber Security Centre's Cyber Assessment Framework (NCSC CAF) that was developed predominantly to help operators of essential services (OESs) to comply with their cybersecurity risk management measures under the UK NIS Regulations.  

Who is in scope of current UK NIS Regulations?

Currently, the UK NIS Regulations apply to OESs in the energy, transport, health, drinking water and digital infrastructure sectors and digital service providers (RDSPs) of online marketplaces, online search engines and cloud computing services. 

CSRB's added entities 

Managed service providers (MSPs) will be brought within scope; while data centres are likely to be brought within scope. The policy statement's final section that covers additional measures under consideration suggest that there is an intention to bring UK data centres of a certain capacity within scope although this may be as part of the CSRB or in future legislation.

"High impact suppliers" of goods or services not yet specified are likely to be brought within scope. In addition to more prescriptive obligations expected in the CSRB on how OESs and RDSPs must manage their own suppliers (essentially equating to indirect regulation of the supply chain), the CSRB will allow regulators to designate a supplier, not otherwise within scope, as a designated critical supplier. 

Some additional small to medium-sized (SME) RDSPs that are currently subject to an exemption due to their size will also be brought within scope: A similar criteria applied to "high impact suppliers" will also capture critical RDSPs regardless of their size. 

Whether or not it would be prudent to extend the scope even further, as NIS 2 does, subjecting these additional entities to the CSRB is a significant step in broadening the application of UK cyber law, and one that will likely benefit service users. Recent incidents have reinforced the lesson that hugely  consequential security incidents and personal data breaches can arise when an important but low-profile supplier's outage affects a large number of its customers, a theme picked up by the policy statement's observation that "a single supplier's disruption can have far reaching impacts".

A substantial number of new businesses will be in scope: MSPs

The largest number of new in-scope businesses will be MSPs. The UK government estimates there will be an additional 900 to 1,100 in-scope MSP entities. The full definition of an MSP will not be available until the CSRB is published, but it will likely include a significant number of business-to-business (B2B) IT service providers.  

The policy statement provides that MSPs will be treated as RDSPs and, like RDSPs, they will be regulated by the Information Commissioner’s Office (ICO) – the significance of which will remain to be seen.

Will OESs and RDSPs differences be retained?

Unlike NIS2, which has removed the distinction between RDSPs and OESs, the policy statement suggests that the distinction will be retained under the CSRB. A crucial question, however, will be the extent to which the different requirements that currently apply to OESs and RDSPs will be harmonised.

Under the existing UK NIS Regulations, OESs and RDSPs are subject to similar but different technical and methodological security requirements. The ICO assesses RDSPs against the specific requirements – which are fleshed out by its own guidance – of EU Regulation 2018/151. This accompanied the underlying EU NIS Directive on which the UK NIS Regulations were based. It provides more specific and detailed requirements for RDSPs, whereas OESs are assessed by their sector specific regulators against the requirements of the NCSC CAF. 

The policy statement suggests that these respective requirements will be updated and brought into closer alignment with NIS 2. It also suggests that this will be on the basis secondary legislation, noting that the bill will provide the secretary of state with "powers to make regulations to update the existing requirements". This would be supported by one or more codes of practice setting out more practically how the regulatory requirements will be satisfied. 

Given that the government will also have the power to tailor the codes' requirements for each sector, it may be some time before we have a full picture of what these requirements are and how uniformly they apply across OESs and RDSPs. 

In the interim, a useful exercise for those wanting to future proof their compliance programmes may be to conduct a gap analysis against the cybersecurity risk management measures set out in NIS 2 (including article 21.2 and, more particularly, the annex to the Commission implementing regulation that lays down rules for the application of EU Directive 2022/2555'.

NIS 2 and the CSRB  

The CSRB will align with NIS2 "where appropriate": prudent businesses would likely, therefore, want to consider the requirements of NIS2 for MSPs, data centres and other entities newly in scope. For businesses that are already subject to the UK NIS Regulations, gap analysis comparing NIS 2 with the NCSC CAF or ICO guidance would be a quicker exercise since they should already have cyber measures in place that are aligned to either of these regimes.

The implementation deadline for NIS 2 and the new EU cybersecurity compliance regime was on 17 October 2024 for member states to transpose the directive into their national laws. 

There are also NIS 2 requirements referred to in the UK's policy statement. NIS 2 includes specific requirements for supply chain security, including for in-scope entities to prepare relevant policies, impose specific contractual requirements and, in certain circumstances, conduct or arrange security audits and assessments of their suppliers. 

Some or all of these measures are also likely to feature in the CSRB, with the policy statement stating that it will "empower the government to clarify, in secondary legislation, duties on OES and RDSP to manage supply chain cyber risks." 
NIS 2 also provides a multi-stage approach to incident reporting with tiered deadlines. Under the CSRB, there will be a similarly tiered approach, including a new 24-hour incident notification obligation.

NIS 2 requirements that are not referred to in the policy statement include training obligations. Although the policy statement is silent on these measures, it would be surprising if these were not included. The policy statement also does not include the need for board approval of cybersecurity risk management measures, with NIS 2 providing that boards may be held liable for non-compliance: although this is not mentioned in the policy statement, regulatory trends suggest that it may also feature in the CSRB.

Osborne Clarke comment

The CSRB represents a significant step forward in fortifying important UK businesses against evolving cyber threats. It will make a material difference to UK businesses newly in scope, including a very large number of MSPs. Arguably, however, it may create broader ripples affecting businesses that are not directly regulated; if, for example, they share a common supply chain with regulated entities. For businesses in scope of both the CSRB and NIS 2 – or that are subject to other cyber laws – there will be additional factors to consider as they look to align to both regimes. 

It is early days in the development of the CSRB and substantive compliance measures should only be considered once the full text has been published. However, as the cyber landscape continues to evolve, proactive preparation will be key to ensuring compliance and resilience. Businesses will be looking to stay informed about the developments of the CSRB, so they can consider whether they are likely to be caught and, if so, begin to assess their potential obligations. 

As details emerge, not just of the CSRB but for other cyber standards and requirements, interim compliance measures, such as ongoing NIS2 compliance programmes, should incorporate the latest developments wherever possible.

Who is in scope? UK NIS Regulations, NIS 2 and the CSRB

In-scope sectors and industries

See below for a summary comparison of in-scope sectors and industries under the current UK rules, the EU rules and the forthcoming UK rules in the CSRB (as referred to in the policy statement). 

UK NIS Regulations

Operators of essential services:

• Energy
• Transport
• Health
• Drinking water
• Digital infrastructure, comprising:
• Internet exchange point providers
• Domain name system (DNS) service providers
• Top-level domain (TLD) name registries

Digital service providers:

• Online marketplaces
• Online search engines
• Cloud computing services

While banking and financial market infrastructures are included in the NIS Directive (that is, the EU's NIS 1 on which the UK NIS Regulations are based), they were excluded from the NIS Regulations because these sectors were already subject to cyber security requirements set by the Bank of England and Financial Conduct Authority.

NIS 2

NIS 2 removes the distinction between OESs and DSPs but the following sectors are in scope:

Same as NIS Regulations:

• Energy
• Transport
• Digital infrastructure, comprising internet exchange point providers, DNS service providers and TLD name registries
• Digital providers of online marketplaces and of online search engines

Not included in the NIS Regulations:

• Banking
• Financial market infrastructure
• Health
• Drinking water
• Cloud computing service providers
• Data centres
• Content delivery networks
• Trust service providers
• Public electronic communications network (PECNs)
• Providers of publicly available electronic communications services (PECSs)
• ICT service management (B2B), comprising managed service providers (MSPs) and managed security service providers (MSSPs)
• Public administration
• Space
• Postal and courier services
• Waste Management
• Manufacture, production and distribution of chemicals
• Production, processing and distribution of food
• Manufacturing: medical devices and in vitro diagnostic medical devices; computer, electronic and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers and semi-trailers; and other transport equipment
• Digital providers of social networking services platforms
• Research organisations

CSRB (as referred to in the Policy Statement)

Operators of essential services:

Same as NIS Regulations

• Energy
• Transport
• Health
• Drinking water
• Digital infrastructure, comprising internet exchange point providers, DNS service providers and TLD name registries

Digital service providers:

Same as NIS Regulations

• Online marketplaces
• Online search engines
• Cloud computing services

Not included in the NIS Regulations:

• Managed service providers (MSPs)
• Data centres

Are there any threshold requirements: how big must an entity be to be within scope?

UK NIS Regulations

Yes, for the UK NIS Regulations to apply the relevant entity must employ 50 persons or more and have an annual turnover over €10 million.

NIS 2

Yes, for NIS 2 to apply (to most of the entities listed above), the relevant entity must employ 50 persons or more and have an annual turnover over €10 million.

These threshold requirements do not apply in the case of PECNs or PECSs, trust service providers, DNS service providers, TLD name registries or public administrations.

CSRB (as referred to in the Policy Statement)

It appears likely that the same thresholds will apply as set out in the UK NIS Regulations. However, this is not confirmed.

Other threshold requirements are more explicitly referred to: data centres will only be in scope if they have a capacity of 1MW or above. And enterprise data centres will only be in scope if they have a capacity of 10MW or above.

New in-scope entities: MSPs

UK NIS Regulations

Not in scope.

NIS 2

MSPs are within scope. NIS2 includes the following definition of an MSP: ‘managed service provider’ means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.

CSRB (as referred to in the Policy Statement)

MSPs are within scope. According to the policy statement, an MSP is a service which:

• Is provided to another organisation (that is, not in-house) and relies on the use of network and information systems to deliver the service.
• Relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security.
• Involves a network connection and/or access to the customer’s network and information systems