The UK Government has recently announced that it plans to introduce the Bill to Parliament in 2025, following its formal proposal in the King's Speech earlier this year. The aim of this Bill is to update the existing Network and Information Systems Regulations 2018 (the Regulations) to strengthen the UK's cross-sector cyber security legislation in the wake of high-profile attacks which have disrupted and highlighted the vulnerabilities of public services, most recently the attack on Synnovis, and to keep pace with the EU's new Network and Information Systems Directive 2 (NIS2).
We have not yet seen a draft of the Bill but the Department for Science, Innovation and Technology has indicated in an update published on 30 September 2024 three core changes to the current regulatory framework:
It is expected that the Bill will (at least in some respects) take a similar form to the NIS2, which is far more substantial and wide-ranging than its predecessor (on which the Regulations are based). On this assumption, some further examples of what we can expect from the Bill include:
Though we do not yet know the scope of the changes to be introduced (and how these might emulate the EU approach), we can likely expect greater compliance requirements, more stringent measures, and severe sanctions for non-compliance under the new legislation as the Government seeks to make the UK's cybersecurity infrastructure more resilient.
Businesses operating within or connected to the Pharmaceuticals and Life Sciences sector are unlikely to fall within the scope of the current Regulations, with the only potential sectors of relevance being the health sector (which is in turn currently limited to healthcare settings, including hospitals, private clinics and online settings) and certain digital service providers that work in the Pharmaceuticals and Life Sciences sector. As the COVID-19 pandemic highlighted the importance of a fully operational Pharmaceuticals and Life Sciences sector and the Government has made it clear that it wants more entities to be within the scope of the new legislation, we will likely see a large number of Pharmaceuticals and Life Sciences businesses being captured - particularly as the NIS2 applies to the research sector and includes the manufacturing of pharmaceutical and medical devices within its scope.
Assuming the Government takes forward the elements outlined in the previous section, those in the Pharmaceuticals and Life Sciences sector should therefore anticipate a greater compliance burden under the new legislation and ensure that they have the infrastructure and resources to meet this.
To prepare, and in the interests of good practice, we recommend that businesses take the following steps:
Start-ups should also bear in mind that there may be additional costs that will need to be taken into consideration when starting out or looking to scale in view of the new legislation. The EU has recognised the financial impact of complying with the NIS2, particularly upon the manufacturing market and smaller companies, and there is likely to be similar costs involved in connection with the Bill.
UK-based businesses who supply to or operate within the EU (particularly those involved in healthcare, research, or manufacturing) should also be mindful of the EU regime and should consult the new NIS2 as there may be some additional cyber security requirements they need to implement.
We understand that this area of law can be complex. Our information law team can provide training and guidance in relation to cyber security legislation and advise you on what practical steps to take. If this is of interest, please get in touch with us.