The cyber threat landscape facing the UK’s public and private sectors is “diffuse and dangerous” according to the National Cyber Security Centre, with persistent attacks from both hostile states and organised crime. Recent high profile ransomware attacks on UK retailers are a reminder of how disruptive such attacks can be to business operations. However, critical national infrastructure (CNI) is regularly the target, and it is easy to see how a successful attack on a nuclear power station or water supplier could have a devastating impact on the country.

In response to the current cyber threat, the UK Government is progressing a number of legislative changes, including updating its cyber legislation for critical services (which includes certain IT services). The Cyber Security and Resilience Bill (the Bill), was first announced in the King’s speech last July. While we await its publication, a government statement published this April provides some detail on what it will cover. The Bill will draw from both the EU’s recent NIS2 Directive and consultations carried out by the previous government, and aims to “strengthen the UK’s cyber defences and build the resilience of [its] essential services, infrastructure, and digital services.”