Cyber security and resilience (network and information systems) Bill 2024-26

Title page 1

Contents 3

Summary 5

1. Background: Cyber security and resilience 8

1.1. What is cyber security and resilience? 8

1.2. Who carries out cyber attacks? 9

1.3. How are cyber attacks carried out? 11

2. Background to the bill 17

2.1. Current regulatory framework 18

2.2. Reviews of the Network and Information Systems Regulations 20

3. Overview of the bill 22

3.1. Measures in the bill 23

3.2. Stakeholder response to the bill 25

4. Parts 1 and 2: amending the Network and Information Systems Regulations 28

4.1. Clause 3: Identification of operators of essential services 28

4.2. Clauses 4 to 6: Data centres and load controllers to be regulated as essential services 29

4.3. Clauses 7 and 8: Digital services 32

4.4. Clauses 9 to 12: Supply chain organisations 33

4.5. Clause 13: Provision of information by data centre operators 37

4.6. Clause 14: Provision of information by digital service and managed service providers 38

4.7. Clause 15: Incident reporting duties 38

4.8. Clause 16: Duty to notify customers 43

4.9. Clause 17: Cost recovery by enforcement authorities 43

4.10. Clause 18: Information sharing 44

4.11. Clause 19: Guidance about cyber security duties 46

4.12. Clauses 20 to 22 and Schedule 1: Monitoring and enforcement 47

4.13. Clause 23 and Schedule 2: Minor amendments 49

5. Part 3: Functions of the Secretary of State 50

5.1. Clause 24: Powers to define essential activities 50

5.2. Clauses 25 to 28: Statement of strategic priorities 52

5.3. Clauses 29 to 35: Powers to update the NIS Regulations 53

5.4. Clauses 36 to 39: Code of practice 57

5.5. Clause 40: Duty to report 58

5.6. Clauses 41 and 42: Regulations under Part 3 59

6. Part 4: Directions for national security purposes 60

6.1. Clause 43: Power to issue directions to regulated persons 60

6.2. Clauses 44 and 45: Compliance with directions 61

6.3. Clauses 46: Information notices 61

6.4. Clause 47: Inspections 62

6.5. Clauses 48 to 52: Enforcement 62

6.6. Clause 53: Power to issue directions to regulatory authorities 64

6.7. Clauses 54 and 55: Review, revocation, and scrutiny of directions 64

6.8. Clause 56: Information sharing 65

6.9. Clause 57: Means of giving directions 65

7. Part 5: Extent and commencement 66

8. Annex: How bills go through Parliament 67

8.1. Commons stages 67

8.2. Lords stages 68

8.3. 'Ping pong' 68

8.4. Amendments 68

8.5. Further information on bill procedure 69