Economic impact and regulatory limits in spotlight as MPs debate new UK cyber security law

Members of parliament challenged if regulators such as the Information Commissioner’s Office would have the capacity and technical capability to manage the increased scope of service providers and platforms which would come under their scrutiny as part of the Cyber Security and Resilience Bill.

A particular focus of MPs was the ability of companies and organisations which now fall under the scope of regulation for the first time to manage the increased costs and demands of compliance. Such organisations include small and medium sized relevant managed service providers, and critical suppliers to UK infrastructure such as healthcare, water and energy firms.

“Many of the comments of MPs focussed upon ensuring an appropriate and proportionate regulatory burden, including by ensuring the scope captures the right entities and excludes lower risk smaller organisations,” said Stuart Davey, an expert in critical national infrastructure cybersecurity with Pinsent Masons.

Davey noted that MPs had questioned whether organisations would face disproportionate compliance costs.

The comments came during the second reading of the bill, which is now due to go to committee before the beginning of March.

The debate will likely set the tone for the areas of scrutiny the bill will face as it passes through the Commons, added Malcolm Dowden, a data and cybersecurity expert with Pinsent Masons.

The debate comes as the UK government unveiled its new £210 million cyber action plan, aimed at improving the resilience of public services online.

Digital minister Ian Murray, who opened the debate for the bill’s second reading, said the new action plan would bolster the cyber defences of public sector bodies in the UK, including through the launch of a dedicated government unit dedicated to cybersecurity.

The bill proposes enabling regulators to enforce larger penalties based on turnover for serious cybersecurity breaches by companies with ties to significant UK infrastructure, strengthening the existing 2018 Network and Information Systems Regulations.

Tougher reporting requirements will also be brought in for operators of essential services, which will mean regulators and the National Cyber Security Centre must be notified of incidents within the first 24 hours, and full reporting within 72 hours, with tighter triggers for notification – to include near-miss incidents alongside confirmed breaches - also included within the reporting requirements.

Davey noted that concerns were raised that new incident notification rules could impose excessive administrative overhead or require disclosure before organisations have full situational awareness.

“The legislative process will likely lead to clearer statutory definitions to minimise premature or unnecessary incident reporting,” he explained.

MPs have raised concerns that the definition of a managed service provider in the bill is currently too large, which risks ambiguity and unnecessary costs on companies. Currently they are classed as a person who provides managed services in the UK – even if the person is not established in the UK - and is not a small or micro enterprise, although bodies subject to public authority oversight or making less than half their income commercially are exempt.

“These are likely areas for debate and possible amendment when the bill enters its committee stage,” said Dowden, who added that the debate was still at an early stage in the parliamentary timetable.

“There will likely be clarification of the definition of a manged service provider, and narrowing it to exclude low-risk entities.”

Davey added that there was still a significant way to go for the bill before it became law.

“Our current understanding is that royal assent is not anticipated until well into 2027, with full implementation taking a year or so from there,” he said.

“Although the timeline is quite protracted, there will be a need for all potentially impacted organisations to track it closely and to make use of the time for preparation and implementation of new procedures.”