The UK has seen a drastic leap in cyber-attacks in recent years. In 2022, 39% of UK businesses reported being the target of a cyber breach in the previous 12 months, which highlights just how many businesses are struggling to remain secure online. Smaller organisations may lack the funds to upgrade their cybersecurity processes and infrastructure, and larger corporations may struggle to implement robust cybersecurity strategies across their company due to their size. Whatever the reason, the need for the public and private sector to invest more in cybersecurity must be at the top of the agenda for every organisation in the UK.  

So, to help protect the United Kingdom and organisations operating within it from the evolving threat landscape, the UK government is introducing new UK Cyber Resilience Legislation. The purpose of the legislation is to update, expand and modernise the regulations set out by the NIS2 Directive, in order to better prepare the UK for the likely heightened malicious cyber activity in the coming years. 

What is the Cyber Resilience Act? 

The legislation revolves around three pillars. Listed on the government website, the pillars lay out the government’s vision for the future of UK security, and what the legislation hopes to achieve. Its plan to strengthen the nation’s cybersecurity has been heavily detailed, with all eyes on its mission for change by 2025. 

  • Pillar I: Proposals to bring additional critical providers of digital services into the UK’s cybersecurity regulatory framework, ensuring that those providers who frequently have privileged access and provide critical support to essential UK services, have adequate cybersecurity protections in place, and can be regulated effectively and proactively. 
  • Pillar II: Proposals to future-proof the UK’s existing cybersecurity legislation, primarily the Network and Information Systems (NIS) Regulations, so that they can adapt to potential changes in threat and technological developments. 
  • Pillar III: Considerations for the standardisation of the cybersecurity profession, so that we embed consistent competency standards across the cyber profession. 

So, who will the legislation impact?

One of the main changes which the legislation promises to bring is the expansion on the previous NIS2 Directive, laid out by the European Commission, to include ‘managed services’ as well as ‘digital services’. This could have long-reaching implications for Managed Service Providers and other managed service organisations, as they will need to comply with the new requirements. They will be expected to meet a number of new cybersecurity standards, which are yet to be released, and will need to report any cyber-attacks that meet the threshold outlined by the legislation. Failure to comply with these regulations could result in hefty fines from the ICO. Compliance is especially important for those linked to critical infrastructure such as water and energy companies, or other essential services. 

The legislation also gives the UK government power to update the NIS2 requirements, and to bring more organisations into the scope of the legislation. This means that once these measures are put in place, the government will be able to update and expand on them as they see fit. 

It’s clear from the measures outlined that the government is looking to gain control of the country’s cybersecurity, and the way they want to do this is through regulation and governance. Managed Service Providers are the ones most likely to feel the changes once the legislation is introduced, however with the powers proposed, more and more types of organisations may find themselves needing to comply with the requirements. 

Follow the link for more information on the UK Cyber Resilience Legislation. To learn more on how BOM IT Solutions can support your organisation, contact our sales team on 0800 038 7222 or email or visit our services page here