Proposed new laws to strengthen cyber defences for essential services like healthcare, drinking water providers, transport and energy.
Hospitals, energy and water supplies and transport networks will be better protected from the threat of cyber-attacks under new laws being introduced in parliament.
The government says that the Cyber Security and Resilience bill will strengthen national security and protect growth by boosting cyber protections for key services that people and businesses rely on every day. The proposed new laws would cover certain digital and essential services including healthcare, transport, energy and water.
Under the proposals:
- Medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties.
- Regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they’d have to meet minimum security requirements – shutting down gaps in supply chains criminals could exploit which could cause wider disruption.
- Enforcement will be modernised, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing.
- The technology secretary will get new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber-attacks where there is a threat to UK national security.
The move comes amid a sharp rise in the number of cyber incidents attacking these sectors, as hostile actors exploit the growing interconnection of IT and operational technology (OT) systems.
Marc Wren, OT cyber security manager at Axians UK, said: “The government’s new laws to strengthen the UK’s cyber defences across the NHS, transport and energy sectors are both vital and timely. As national infrastructure becomes more interconnected, the potential consequences of disruption extend far beyond data loss by potentially affecting the continuity and safety of everyday services.
“Ensuring the reliability of critical national infrastructure is at the core of every utility’s operations, yet these principles are increasingly under threat from the digital world. Cyber-attacks are rising year on year, with adversaries using ever more sophisticated methods to disrupt essential services.
“As we have seen across the water industry and other critical sectors, the resilience of any organisation is only as strong as its weakest link. Regulation can drive awareness, but lasting security depends on culture, collaboration and constant vigilance. The best defence is a mature, managed approach that limits exposure before threats can take hold.”
