UK government announces new cyber laws

April 4, 2025

The UK government has provided more information about its new Cyber Security Bill, which aims to protect public services and safeguard growth.  It was announced in the King’s Speech last year. The aim is that firms providing essential IT services to public services and the wider economy are no longer an easy target for cyber criminals. 1,000 service providers will fall into scope of measures expected to be introduced later this year.

The government says that cyber threats cost the UK economy almost £22 billion a year between 2015 and 2019 and cause significant disruption to the British public and businesses. Last summer’s attack on Synnovis (which provides pathology services to the NHS) cost an estimated £32.7 million and saw thousands of missed appointments for patients.

The government’s policy statement indicates that it will take the following measures to update the regime in the Network and Information Systems Regulations 2018:

  • Bringing more entities into scope of the regulatory framework, including managed service providers, strengthening supply chain security and enabling regulators to designate “Critical Suppliers”,
  • Empowering regulators and enhancing oversight, including technical and methodological security requirements, improving incident reporting, improving the ICO’s information gathering powers, improving regulators’ cost recovery mechanisms, and
  • Ensuring the regulatory framework can keep pace with the ever-changing cyber landscape, ensuring the regulatory framework is adaptable to emerging threats.

The government is also exploring additional measures to make sure it can respond effectively to new cyber threats and take rapid action where needed to protect the UK’s national security. This includes bringing data centres within the scope of regulation, publishing a statement of strategic priorities for regulators, and empowering the Secretary of State to direct a regulated entity to take action, when it is necessary for national security.

In the year to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with 89 of these being classed as nationally significant – a rate of almost two every week. The most recent iteration of the Cyber Security Breaches Survey also highlights 50% of British businesses suffering a cyber breach or attack in the last 12 months, with more than 7 million incidents being reported in 2024.

The Cyber Security and Resilience Bill will aim to ensure that vital infrastructure and digital services are secure.  It will be introduced to parliament this year.