IT services companies and datacentres face regulation as cyber security bill reaches Parliament

New government powers

The government will have new powers to instruct regulators and the organisations they oversee to take “specific, proportionate steps” to prevent cyber attacks where there is a risk to national security.

This could include requiring them to strengthen security monitoring of their systems or isolate high-risk systems to protect and secure essential services.

The proposed laws cover private and public sector providers of critical services, which, if attacked, could have “huge negative implications” for the economy.

Regulators will be given new powers under the bill to “designate” organisations that supply essential services, such as health diagnostics to the NHS or chemicals to a water firm, requiring them to meet minimum security requirements.

Ransomware payment ban

The legislation is also expected to include a ban on public sector organisations, such as councils, schools, the health service and operators of critical national infrastructure (CNI), making payments to ransomware crime gangs.

The government argues that recent cyber attacks on managed service providers (MSPs) show that laws are needed.

The Office of Budget Responsibility estimates that a cyber attack on critical national infrastructure could temporarily increase borrowing by over £30bn – equivalent to 1.1% of GDP.

Research published today shows the average cost of a significant cyber attack in the UK is over £190,000, equivalent to £15bn a year – some 0.5% of the UK’s GDP – across the economy.

In 2024, hackers accessed the Ministry of Defence’s payroll system through an MSP. The attack against pathology services provider Synnovis disrupted more than 11,000 medical appointments and procedures, with estimated costs of £30m.

The real-world impacts of cyber attacks have never been more evident than in recent months, so we welcome the move to strengthen legislation and regulatory powers to help drive up the level of defence and resilience across critical national infrastructure

The government said the bill “represents a step change” that will “help to deliver greater economic stability” and support investment in the UK’s cyber security sector, which contributed £13.2bn to the economy in the latest financial year. 

First floated in 2024, shortly after Labour’s General Election victory, the Cyber Security and Resilience Bill aims to improve the UK’s online defences, protect the public and safeguard economic growth.

In October, government ministers wrote to the CEOs of FTSE 350 companies urging them to make cyber risk a board responsibility, sign up to the National Cyber Security Centre’s (NCSC) cyber attack early warning service, and require companies in their supply chain to meet the NCSC’s cyber essentials security requirements.

NCSC CEO Richard Horne said the Cyber Security and Resilience Bill was a “significant step” towards “ensuring the nation’s most critical services are better protected and prepared”.

“The real-world impacts of cyber attacks have never been more evident than in recent months, so we welcome the move to strengthen legislation and regulatory powers to help drive up the level of defence and resilience across critical national infrastructure,” he added.

Phil Huggins, national chief information security officer for health and care at NHS England, said the proposals would allow healthcare services to address the greatest risks and harms, including new powers to designate critical suppliers.

“Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data and maintain trust in our systems in the face of an evolving threat landscape,” he added.

Science, innovation and technology secretary Liz Kendall said the new laws would mean “fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge”.