UK Government Previews Cybersecurity Legislation

The British government has unveiled plans for a new Cyber Security and Resilience Bill that will implement stricter incident reporting rules and enhance supply chain vulnerability management. This legislation, first previewed after the government took office in July 2024, introduces a “two-stage reporting structure” requiring organizations to report significant cyber disruptions within 24 hours of detection and submit a full incident report to the National Cyber Security Center within 72 hours. The bill extends regulatory oversight to approximately 900-1,100 managed service providers with access to clients' systems and data, and strengthens the Information Commissioner’s Office’s authority. Current law only mandates reporting within 72 hours when personal data is compromised. Tech Secretary Peter Kyle emphasized that these measures aim to promote economic growth by securing digital infrastructure critical for business stability and innovation. Industry experts have welcomed the focus on supply chain security and streamlined reporting requirements, though some note that success will depend on establishing clear expectations given the existing regulatory frameworks many IT providers already navigate.​​​​​​​​​​​​​​​​