The Government has published a policy paper setting out its proposals for new powers in the Cyber Security and Resilience (Network and Information Systems) Bill to direct regulated entities to take necessary and proportionate action in response to imminent or live threats which put UK national security at risk.

The Bill will give the Secretary of State at the Department for Science, Innovation & Technology the power to direct entities regulated under the Network and Information Systems (NIS) regime to take necessary and proportionate action in response to imminent or live threats which put UK national security at risk.

Cyber attacks targeting NIS sectors (drinking water, transport, energy, health, digital infrastructure, some digital services, and, in line with other measures in the bill, also medium and large managed service providers and data centres) have the potential to seriously threaten the UK’s national security.

The paper cites an example in February 2024 when the United States stated that China state-sponsored cyber actors had compromised US critical infrastructure by pre-positioning themself within IT networks for water, energy and transport infrastructure, potentially laying the groundwork for future disruptive cyber attacks. Currently, if a similar incident happened in the UK, the government would not have legal powers to issue directions to affected entities, requiring them to take necessary action to mitigate the threat.

The policy paper warns that growing threat posed by high capability actors and hostile states – who may mount targeted highly sophisticated attacks or high volume less sophisticated attacks – means that this is a gap that could be exploited with increasing regularity and impact.

The Bill will give the government new powers to direct a regulated entity to take specific and proportionate action in response to a threat that presents a risk to national security.

Issuing a direction

The Secretary of State will be granted a power to issue directions to regulated entities within the regulatory regime – which could include operators of essential services (OES), relevant managed service providers, relevant digital service providers and designated critical suppliers. A direction could only be issued if the Secretary of State considers that:

1.  A security or operational compromise in relation to a relevant network and information system, or the threat of such a compromise, gives rise to a risk to national security, an
2. The direction is necessary and proportionate in the interests of national security.

When coming to a judgement about proportionality and necessity, the Secretary of State would typically be expected to consider if there are alternative ways of achieving the same outcome, and the potential impacts of a direction, such as economic impacts.

Before giving a direction, the Secretary of State must consult the regulated entity to which the direction applies, as well as any other relevant parties, unless the Secretary of State considers that doing so would be contrary to the interests of national security. This could involve engaging the relevant sector regulator.

Once the Secretary of State has given a direction, a copy must be laid in Parliament, unless the Secretary of State considers that doing so would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person, or would be contrary to the interests of national security.

The bill also gives the Secretary of State a power to require information from regulated entities.

If an undertaking has been found to be non-compliant with a direction, the Secretary of State may impose a penalty up to a maximum of 10% of its turnover or £17 million, whichever is higher.

Click here to read the policy paper online