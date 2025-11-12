zgphotography - stock.adobe.com
IT services companies and datacentres face regulation as cyber security bill reaches Parliament
The Cyber Security and Resilience Bill will require large IT services companies, including datacentres, to report security incidents within 24 hours
Large organisations that provide IT services, including datacentres, will face regulation to ensure they have adequate cyber security and resilience plans, under laws being introduced in Parliament today.
The Cyber Security and Resilience Bill (CSRB) aims to ensure critical services, including healthcare, water, transport and energy, are protected against cyber attacks, which cost the UK economy almost £15bn a year.
Under the proposals, medium and large IT services companies providing IT management, helpdesk support and cyber security to critical services face regulation for the first time.
They will be required to report potentially significant cyber security breaches to regulators and the National Cyber Security Centre within 24 hours, with a full report within 72 hours, and to notify businesses and individuals who use their services of the incident.
New government powers
The government will have new powers to instruct regulators and the organisations they oversee to take “specific, proportionate steps” to prevent cyber attacks where there is a risk to national security.
This could include requiring them to strengthen security monitoring of their systems or isolate high-risk systems to protect and secure essential services.
The proposed laws cover private and public sector providers of critical services, which, if attacked, could have “huge negative implications” for the economy.
Regulators will be given new powers under the bill to “designate” organisations that supply essential services, such as health diagnostics to the NHS or chemicals to a water firm, requiring them to meet minimum security requirements.
Ransomware payment ban
The legislation is also expected to include a ban on public sector organisations, such as councils, schools, the health service and operators of critical national infrastructure (CNI), making payments to ransomware crime gangs.
The government argues that recent cyber attacks on managed service providers (MSPs) show that laws are needed.
The Office of Budget Responsibility estimates that a cyber attack on critical national infrastructure could temporarily increase borrowing by over £30bn – equivalent to 1.1% of GDP.
Research published today shows the average cost of a significant cyber attack in the UK is over £190,000, equivalent to £15bn a year – some 0.5% of the UK’s GDP – across the economy.
In 2024, hackers accessed the Ministry of Defence’s payroll system through an MSP. The attack against pathology services provider Synnovis disrupted more than 11,000 medical appointments and procedures, with estimated costs of £30m.
The government said the bill “represents a step change” that will “help to deliver greater economic stability” and support investment in the UK’s cyber security sector, which contributed £13.2bn to the economy in the latest financial year.
First floated in 2024, shortly after Labour’s General Election victory, the Cyber Security and Resilience Bill aims to improve the UK’s online defences, protect the public and safeguard economic growth.
In October, government ministers wrote to the CEOs of FTSE 350 companies urging them to make cyber risk a board responsibility, sign up to the National Cyber Security Centre’s (NCSC) cyber attack early warning service, and require companies in their supply chain to meet the NCSC’s cyber essentials security requirements.
NCSC CEO Richard Horne said the Cyber Security and Resilience Bill was a “significant step” towards “ensuring the nation’s most critical services are better protected and prepared”.
“The real-world impacts of cyber attacks have never been more evident than in recent months, and so we welcome the move to strengthen legislation and regulatory powers to help drive up the level of defence and resilience across critical national infrastructure,” he added.
Phil Huggins, national chief information security officer for health and care at NHS England, said the proposals would allow healthcare services to address the greatest risks and harms, including new powers to designate critical suppliers.
“Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data and maintain trust in our systems in the face of an evolving threat landscape,” he added.
Science, innovation and technology secretary Liz Kendall said the new laws would mean “fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge”.
