Patryk Kosmider - Fotolia
UK’s cyber incident reporting law to move forward in 2025
The UK government says that enforced cyber incident and ransomware reporting for critical sectors of the economy will help to build a better picture of the threat landscape and enable more proactive and preventative responses
The UK’s new government has teased further details of its proposed Cyber Security and Resilience Bill, confirming that it will contain a clause that mandates centralised incident reporting, including in the event cyber attacks that involve ransomware.
Keir Starmer’s incoming administration first brought forward the possibility of a mandatory reporting law in the King’s Speech in July 2024, and the bill’s two core objectives – to expand the remit of current regulation and paint a more accurate picture of the threat landscape – were warmly welcomed by experts at the time.
In the update, published on Wednesday 30 October to little fanfare, Westminster said that it planned to introduce the bill in 2025, and that a public consultation is in the planning stages.
It said recent events – such as ransomware attacks on NHS suppliers and hostile state actors caught lurking in Ministry of Defence networks – showed the impacts of cyber incidents could be severe, and that the UK’s laws had not kept pace with the rate of technological change, hence action to strengthen the country’s defences and protect critical national infrastructure (CNI) and digital services was a priority.
Additionally, it said, existing regulations reflect law inherited from Brussels following Brexit, and as these are now being rapidly superseded in the European Union (EU), change is even more urgently needed to ensure the UK does not mark itself out as a soft target in Europe, and to help British businesses remain on par with their competitors and peers across the Channel.
Crucial updates
The bill will make “crucial updates” to this legacy framework by, firstly, expanding its remit to protect more sectors, filling gaps in defences and hopefully preventing more attacks – such as that on NHS lab services partner Synnovis that disrupted patient care across South London during the summer.
Secondly, the government hopes to put regulators – such as the Information Commissioner’s Office (ICO) – on a stronger footing to ensure proper security measures are being implemented, potentially including cost recovery mechanisms to better resource these bodies, and enhancing their powers to proactively investigate vulnerabilities on their own. It expects a total of 12 regulatory bodies will ultimately hold, and benefit from, these responsibilities.
Finally, it hopes mandated incident reporting will provide it with better data on security incidents and ransomware attacks, helping improve overall understanding of the threat landscape and even providing early warning of potential attacks.
At the current stage of planning, the regulations will cover the transport, energy, drinking water, health and digital infrastructure sectors, and digital services including online marketplaces, search engines, and cloud computing services.
Read more about the government’s tech agenda
- The incoming government sets out preliminary plans to conduct a major revamp and relaunch of the Department for Science, Innovation and Technology.
- Health secretary Wes Streeting wants the UK to be an international powerhouse for life sciences and medtech, and plans to turn the Department for Health and Social Care into a ‘public growth department’.
- As the new government begins to settle in, ministers with technology remits begin to emerge as DHSC and others declare which ministers will have digital responsibilities.
