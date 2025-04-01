The government sets out the scope and ambition of the Cyber Security and Resilience Bill for the first time today.

Plans set out to bolster UK’s online defences, protect the public and safeguard growth – the central pillar of the UK government’s Plan for Change.

New measures will boost protection of supply chains and critical national services, including IT service providers and suppliers.

Cyber Security and Resilience Bill to be introduced later this year to face down growing range of online threats.

Hospitals and energy suppliers are set to boost their cyber defences under the new Cyber Security Bill, protecting public services and safeguarding growth as government delivers its Plan for Change.

This will ensure firms providing essential IT services to public services and the wider economy are no longer an easy target for cyber criminals. 1,000 service providers will fall into scope of measures expected to be introduced later this year.

The move forms part of the government’s drive to secure Britain’s future through the Plan for Change, delivering security and renewal by strengthening our critical infrastructure. It will give the British public, businesses and investors greater confidence in digital services - supporting the government’s mission to kickstart economic growth.

Cyber threats cost the UK economy almost £22 billion a year between 2015 and 2019 and cause significant disruption to the British public and businesses. Last summer’s attack on Synnovis - a provider of pathology services to the NHS - cost an estimated £32.7 million and saw thousands of missed appointments for patients. Figures also show a hypothetical cyber-attack focused on key energy services in the South East of England could wipe over £49 billion from the wider UK economy.

Secretary of State for Science, Innovation, and Technology, Peter Kyle, said:

Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable. Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage. The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world - giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.

Health and Social Care Secretary Wes Streeting said:

Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place. We are building an NHS that is fit for the future. This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our Plan for Change.

The government is also exploring additional measures to make sure it can respond effectively to new cyber threats and take rapid action where needed to protect the UK’s national security. This includes giving the Technology Secretary powers to direct regulated organisations to shore up their cyber defences – putting the UK in the strongest possible footing to defend against new and existing threats.

Another potential avenue may include new protections for more than 200 data centres – bolstering the defences of one of the main drivers of economic growth and innovation, including through AI. Data centres process mountains of data which they need to churn out new products which have become commonplace everywhere from banking and online shopping to booking holidays and staying in touch with friends and family. The government will now consider the best route to deliver these additional measures.

In the year to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with 89 of these being classed as nationally significant – a rate of almost two every week. The most recent iteration of the Cyber Security Breaches Survey also highlights 50% of British businesses suffering a cyber breach or attack in the last 12 months, with more than 7 million incidents being reported in 2024.

To face down this threat, the Cyber Security and Resilience Bill will ensure the vital infrastructure and digital services the country relies on are more secure than ever, as the government sets out its legislative ambitions for the first time today.

Richard Horne, NCSC CEO, said:

The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare. It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries. By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Avctive Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges.

While the legislation will arm the UK with the cyber defences it needs to meet the challenges of today, it also includes measures to ensure a swift response to new threats which emerge in the future. To do this, the Technology Secretary will be given powers to update the regulatory framework to keep pace with the ever-changing cyber landscape.

Confirmed in last year’s King’s Speech, today marks the first time the government has shared full details on its plans for the Cyber Security and Resilience Bill, which will be introduced to Parliament this year.

The legislative proposals follow other government recent action to boost UK cyber security, including a new, world-leading AI cyber security standard to protect AI systems, a new international coalition to boost cyber skills and the Cyber Local programme to support the UK’s rapidly growing £13.2 billion cyber security industry, which has created 6,600 new jobs in the past year.

Further Information

A full copy of the policy statement containing details of the measures in the Cyber Security and Resilience Bill policy statement has been published today.

Figures on the economic impact of a hypothetical cyber incident targeting the South East’s energy structure (PDF) by the University of Cambridge.

If the proposals are adopted:

More organisations and suppliers will need to meet robust cyber security requirements, including data centres, Managed Service Providers (MSPs) and critical suppliers. This means third-party suppliers will need to boost their cyber security in areas such as risk assessment to minimise the possible impact of cyber- attacks, while also beefing up their data protection and network security defences.

Regulators will have more tools to improve cyber security and resilience in the areas they regulate, with companies required to report more incidents to help build a stronger picture of cyber threats and weaknesses in our online defences.

The government would have greater flexibility to update regulatory frameworks when needed, to respond swiftly to changing threats and technological advancement. This could include extending the framework to new sectors or updating security requirements.

