Managed service providers and data centres are set to fall under a new cybersecurity regulatory regime proposed by the UK Government.
Ministers are seeking new oversight and enforcement powers to ensure that critical national infrastructure – such as energy networks and the NHS – are better protected against online threats.
The new Cyber Security and Resilience Bill will be introduced later this year to face down a growing range of online threats, including ransomware and distributed denial of service (DDOS) attacks.
Under the plans, 1,000 service providers will fall into scope of a range of measures expected to be introduced later this year.
Technology secretary Peter Kyle said: “Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable.
“Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.
“The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”
Cyber threats cost the UK economy almost £22 billion a year between 2015 and 2019 and cause significant disruption to the British public and businesses.
Last summer’s attack on Synnovis – a provider of pathology services to the NHS – cost an estimated £32.7 million and saw thousands of missed appointments for patients. Figures also show a hypothetical cyber-attack focused on key energy services in the South East of England could wipe over £49 billion from the wider UK economy.
Health secretary Wes Streeting said: “Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place.
“We are building an NHS that is fit for the future. This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our Plan for Change.”
Under the proposed news laws, the technology secretary could be given the power to direct ‘regulated organisations’ to shore up their cyber defences. Another potential avenue may include new protections for more than 200 data centres – bolstering the defences of one of the main drivers of economic growth and innovation, including through AI.
This means third-party suppliers will need to boost their cybersecurity in areas such as risk assessment to minimise the possible impact of cyber attacks, while also beefing up their data protection and network security defences.
Regulators will also have more tools to improve cybersecurity and resilience in the areas they regulate, with companies required to report more incidents to help build a stronger picture of cyber threats and weaknesses in our online defences.
In the year to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with 89 of these being classed as nationally significant – a rate of almost two every week. The most recent iteration of the Cyber Security Breaches Survey also highlights 50% of British businesses suffering a cyber breach or attack in the last 12 months, with more than 7 million incidents being reported in 2024.
Richard Horne, NCSC CEO, said: “By bolstering their cyber defences and engaging with the NCSC’s guidance and tools, such as Cyber Assessment Framework, Cyber Essentials, and Active Cyber Defence, organisations of all sizes will be better prepared to meet the increasingly sophisticated challenges.
“The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare.
“It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries.”
Managed Service Providers
According to a policy statement attached to the new bill, Managed service providers (MSPs) play a ‘critical role in the UK economy by offering core IT services to businesses. These organisations have unprecedented access to clients’ IT systems, networks, infrastructure, and data.
“This makes them an attractive target for malicious actors and subject to cyber attacks, including those that resulted in impacts on clients. This has included the Cloud Hopper attack on MSPs and the attack on the Ministry of Defence’s personnel system. These highlight the vulnerabilities of MSPs and by extension, the critical services they support.”
The Bill therefore proposes that MSPs are brought under the new regulatory regime, placing a duty on them to ‘protect a broader range of services from cyber attacks and build a better picture of the threats facing our essential services’.
These firms will be subject to the same duties as those placed on firms that provide digital services – such as cloud services, search engines, and online marketplaces – referred to as ‘relevant digital service providers’ under the 2018 Network and Information Systems (NIS) Regulations. The Information Commissioner’s Office (ICO) will act as the regulator and have authority to regulate MSPs through information gathering, investigation and enforcement powers.
Firms covered could include but not limited to those offering services such as managed IT services, IT infrastructure and applications management, IT remote support and systems integration and management (SIAM), managed security services
such as and managed security service providers (MSSPs), managed security operations centre (SOC), security information and event management (SIEM), incident response and threat and vulnerability management and relevant business process outsourcing.
Data Centres
Under the plans, data centres at or above 1MW capacity would come under the scope of the Bill unless it is an enterprise data centre – operated by a business solely to deliver and manage the IT needs of the business – operating at or above 10MW capacity.
Externally commissioned research (2024) indicates that there are currently 224 colocation data centres in the UK, managed by 68 operators. Of these, around 182 third-party sites and 64 operators will fall within scope. The UK Government said it expects the number of enterprise data centres falling within scope of the bill to be ‘relatively low.’
The policy statement said: This measure is designed to balance security and resilience with the need for growth and investment, recognising that they support each other. We therefore do not intend or expect responsible operators to incur significant compliance costs, but we would provide a full impact assessment upon legislating.”
Devolved or reserved?
Cyber security is a reserved matter, but it has strong implications for the delivery and resilience of devolved services – for example health and social care, which is devolved to the Scottish Parliament. In practice, cyber incidents affecting public services in Scotland have been managed by Scottish public bodies, albeit with the assistance of NCSC.
The Scottish Government therefore works closely with key partners such as the UK National Cyber Security Centre to ensure alignment between work on cyber resilience at the UK and Scottish levels.
For the new Bill, it states however that the “Secretary of State would not be able to issue directions to other Secretaries of State or Devolved Governments”.
There are currently 12 ‘competent authorities’ who act as regulators across the UK, for the purposes of the NIS regulations. They include the Department for Energy Security and Net Zero (DESNZ), the Office of Gas and Electricity Markets (Ofgem), the Office for Nuclear Regulation (ONR), the Department for Transport (DfT), and the Civil Aviation Authority (CAA).
However, the Scottish Government acts as the competent authority for two sectors that are devolved, namely health – along with NHS National Services Scotland and water, along with Scottish Water. It is thought that these would the two policy areas requiring Scottish Ministers’ approval and the rest would remain reserved matters.
Source: Futurescot