Posted on: 23rd April 2025, by Magrathea
Update 29/04/25: This article was written ahead of well publicised events such as the M&S ransomware attack and international power outages, but these only go to reinforce the importance of resilience of all kinds, cyber and otherwise. Our thoughts are with all those impacted and working hard to overcome these challenges.
As part of the telecoms supply chain we are of course familiar with the requirements of the Telecoms Security Act (TSA) and associated codes and guidance. Then more broadly there is the Network and Information Systems Regulations (NIS) which has been in force since 2018.
NIS applies to ‘operators of essential services’ (OES) and ‘relevant digital service providers (RDSPs), typically the larger ones with turnover over of €10m or more or over 50 staff. It is primarily aimed at improving cybersecurity and other incidents that can impact the provision of service in organisations that rely on digital infrastructure.
Whilst the TSA came into force in 2022 and is still being translated into the real world, the NIS regulations are now very outdated. As an EU-wide legislation we aren’t adopting NIS2 (the updated version) here in the UK, instead the new Bill seeks to enhance the NIS regulations to better address the current challenges.
DSIT have recently released a policy statement that not only shows the intention to create the new Cyber Security and Resilience Bill, but also to grant extra powers within it in order to enable the government and regulators to amend and adapt in this rapidly evolving technical landscape.
At Magrathea we are generally considered a positive bunch, believing there is lots of good in the world and if we all work hard and be kind we can all thrive. But our optimism doesn’t stop us from being realistic. More and more frequently in our industry we are exposed to a terrible variety of fraud, scams and DDOS attacks – not to mention the truly awful cyber security attacks impacting our key services – which can knock even the most half full glass off balance for a while.
This, combined with the report that there were 89 ‘nationally significant’ cyber incidents last year alone and here the Parliamentary Under-Secretary states that UK businesses lost around £87 billion from cyber attacks over a four year period – and this has probably got a lot worse since that report in 2019!
So in short, whilst we may dislike that necessity of the legislation and wish the world wasn’t such a harsh place, we also welcome the governments intention to keep us safe. It has been made clear that threats are increasing on our way of life and our economy and we all need to play our part in defending what we have built.
A few elements of the new Bill are a done deal but others are to be decided on as the Bill goes through parliament. Key things to note are:
- Compared to NIS, this legislation will bring more entities into scope, recognising that the supply chain can introduce a vulnerability.
- It will be possible for certain providers, regardless of size, to be given ‘Critical Supplier’ status thereby bringing them in scope.
- Managed Service Providers will be in scope, ensuring greater protections for their customers.
- More robust and rapid incident reporting will be a requirement, giving better oversight and management.
- Powers of direction are likely to be granted, meaning the Secretary of State can issue direction directly to a regulated entity to take action in the case of a threat to national security.
There are still months of debate before we get the final outcome, with the Bill expected to receive royal assent early in 2026, but given the significant impact and general direction of world threats we think it’s worth everyone being aware of this now and prepping early – whatever that means for you!
You can read the full policy statement here.