The UK government has failed to fulfill its promise of updating cyber laws during the King’s Speech, the formal opening of Parliament, despite prematurely announcing the updates. The legislation, known as the NIS Regulations, was intended to “better protect” essential services in the country, including those in the water, energy, and transport sectors.
However, these laws are now expected to be introduced to Parliament in 2025, with potential implementation in 2026 at the earliest, leaving the country exposed to a rising threat of cyberattacks. These regulations aim to improve security standards, introduce mandatory reporting, and impose fines for non-compliance, but their delay raises concerns over cybersecurity resilience.
The NIS Regulations, initially based on a European Union directive, seek to establish security standards for critical infrastructure providers and essential digital services, ensuring mandatory reporting after disruptive cyberattacks. The delayed updates would enhance the reporting standards, potentially imposing fines of up to £17 million for violations.
Presently, many cyberattacks go unrecorded as NIS incidents due to existing legislation’s thresholds, focusing on the impact on essential services, not the depth of network access by threat actors. This could limit the government’s visibility into sector-specific threats.
Furthermore, the proposed updates aim to place obligations on managed service providers (MSPs) that support smaller businesses without dedicated IT departments, as they are often targeted by malicious actors. Past incidents, like the ransomware attack on NHS supplier Advanced, have demonstrated the vulnerabilities of these providers, impacting essential services.
While the government already drafted the updates, their introduction to Parliament remains uncertain, raising concerns about the nation’s cyber resilience, especially as the European Union’s NIS2 directive is already being implemented across member states.