Far from an April Fools' joke, on 1 April, the Department for Science, Innovation and Technology, unveiled a comprehensive policy statement detailing the legislative proposals for the Cyber Security and Resilience Bill. We've summarised the key measures below. 

The Bill was first mooted during the King's Speech 2024 to ensure the current regulatory framework (primarily the Network and Information Systems Regulations 2018 (NIS)) is more closely aligned with the EU's NIS 2 directive. It is a pivotal step towards fortifying the UK's cyber defences and enhancing the resilience of essential services and infrastructure amidst escalating cyber threats. 

Indeed, the statement specifically cites the Synnovis ransomware attack last June as an example of the real world impact of cyber incidents, especially when critical national infrastructure is affected. This attack on the pathology services provider resulted in nearly 11,000 acute outpatient appointments and 2,000 elective procedures being postponed at two NHS Trusts in London. 

The statement also comes shortly after the ICO's £3m fine against a data processor that provides IT and software services to the NHS and other healthcare providers for security failings related to separate ransomware attack in 2022. Those failings included not having multi-factor authentication in place, a lack of comprehensive vulnerability scanning, and inadequate patch management. As a result, 658 of its data controller customers were impacted – critical services such as NHS 111 were disrupted and healthcare staff unable to access patient records. Personal data of some 80,000 individuals, linked to 16 of its data controller customers, was also exfiltrated, including details of how to gain entry into the homes of 890 people who were receiving care at home. It is another example of the relevance and importance of this Bill when it comes to ICT providers and the security of the supply chain. 

Key measures of the proposed Cyber Security and Resilience Bill set out in the statement include:

1. Bring more entities into scope of the regulatory framework, such as managed service providers (MSPs). This is due to the critical role of MSPs in providing UK businesses with core IT services, and their attractiveness as targets for cyber attacks given their access to client systems and data. 
2. Strengthen supply chain security, bearing in mind the wide impact of a single supplier being disrupted. DSIT intends to do this by empowering the government to clarify in secondary legislation the duties for operators of essential services (OES) and relevant digital service providers (RDSP) to manage risks in supply chains. In addition, regulators will be able to designate specific high-impact suppliers as 'Critical Suppliers,' subjecting them to comparable obligations as OES and RDSP.  This includes smaller RDSPs which are currently exempt from NIS. 
3. Empower regulators and enhance oversight to ensure that essential measures are being implemented and to improve the government's understanding of cyber threats. This includes: 
   1. Updating the technical and methodological standards under NIS to place the principles and objectives in the NCSC's Cyber Assessment Framework on a statutory footing and extend them to OES. The aim is to ensure firms invest in cyber security with greater clarity and enable regulators to oversee requirements effectively. 
   2. Improving incident reporting by: 
      1. expanding current reporting criteria to include not only incidents which cause interruption to the continuity of the essential or digital service, but also incidents that (1) are capable of having a significant impact on the provision of the essential or digital service, or (2) significantly affect the confidentiality, availability, and integrity of a system;
      2. updating reporting times to introduce a two-stage process similar to NIS 2, involving an early warning to the regulator and NCSC within 24 hours, followed by an incident report within 72 hours;  
      3. streamlining reporting processes to ensure both the regulator and the NCSC receive the same information at the same time; and 
      4. enhancing transparency requirements, requiring customers of digital services and data centres to be alerted of a significant incident that may impact them. 
   3. Enhancing the information gathering powers of the ICO given its role as regulator for firms that provide digital services (i.e. RDSPs), enabling a proactive approach to identifying and mitigating cyber risks in the digital services sector. 
   4. Improving regulators' cost recovery mechanisms, allowing regulators to set fees and recover costs in order to ensure they are financially independent and capable of performing their duties effectively. 
4. Introduce new delegated powers by granting the Secretary of State the ability to update the legislative framework to respond to evolving cyber threats in an agile manner, without requiring an Act of Parliament. 

In addition to the proposed Cyber Security and Resilience Bill, the government has also proposed some additional measures, including:

1. Bringing data centres into the regulatory framework given their designation as critical national infrastructure.
2. Publishing a statement of strategic priorities to ensure that there is a clear and coherent framework for cyber security regulation across the 12 regulators and their sectors.
3. Proposing new executive powers for the Secretary of State to direct regulated entities and regulators to take action when necessary for national security, ensuring rapid and effective protection against cyber threats. 

The proposed Cyber Security and Resilience Bill, as well as the government's additional measures, represent a significant step towards addressing the evolving cyber threat landscape. Although we await the final text, one would be a fool not to take it seriously...