• Contact Us

Protecting data: implications of the Cyber Security and Resilience Bill for the UK's pharmaceuticals and life sciences sector

on Tuesday, 19 November 2024.

The proposed Cyber Security and Resilience Bill (the Bill) intends to capture more sectors, increase incident reporting and strengthen ICO powers - we consider the potential implications for the UK's pharmaceuticals and Life Sciences sector.

Background to the Bill

The UK Government has recently announced that it plans to introduce the Bill to Parliament in 2025, following its formal proposal in the King's Speech earlier this year. The aim of this Bill is to update the existing Network and Information Systems Regulations 2018 (the Regulations) to strengthen the UK's cross-sector cyber security legislation in the wake of high-profile attacks which have disrupted and highlighted the vulnerabilities of public services, most recently the attack on Synnovis, and to keep pace with the EU's new Network and Information Systems Directive 2 (NIS2).

What can we expect from the Bill?

We have not yet seen a draft of the Bill but the Department for Science, Innovation and Technology has indicated in an update published on 30 September 2024 three core changes to the current regulatory framework:

  • Expansion of the scope of protection beyond certain digital services and five essential sectors currently protected by the Regulations, to capture more digital services and supply chains.
  • Strengthening regulators through improved resourcing and by granting greater powers to ensure robust cybersecurity measures are implemented.
  • Enhancement of incident reporting requirements, including mandatory reporting of ransomware attacks, to improve understanding and guide policy development.

It is expected that the Bill will (at least in some respects) take a similar form to the NIS2, which is far more substantial and wide-ranging than its predecessor (on which the Regulations are based). On this assumption, some further examples of what we can expect from the Bill include:

  • Shorter timescales for incident reporting - Currently, under the Regulations, entities must report cybersecurity incidents within 72 hours. The NIS2 requires entities to issue an early warning report within 24 hours of a 'significant' cybersecurity incident being reported, with a follow-up report within 72 hours, and so the Bill may expect entities to take action earlier.
  • Larger fines for non-compliance - NIS2 introduces significant penalties - with member states allowed to impose a maximum fine level of €10 million or 2% of global annual turnover (whichever is higher) for 'essential' entities (including healthcare) and €7 million or 1.4% of global turnover (whichever is higher) for 'important' entities (including manufacturers of medical devices). There have been hints of cost-recovery mechanisms in the Bill, which may mean that the Government is considering introducing larger fines for non-compliance that mirror the NIS2.

Though we do not yet know the scope of the changes to be introduced (and how these might emulate the EU approach), we can likely expect greater compliance requirements, more stringent measures, and severe sanctions for non-compliance under the new legislation as the Government seeks to make the UK's cybersecurity infrastructure more resilient.

What steps should those in the Pharmaceuticals and Life Sciences sector take?

Businesses operating within or connected to the Pharmaceuticals and Life Sciences sector are unlikely to fall within the scope of the current Regulations, with the only potential sectors of relevance being the health sector (which is in turn currently limited to healthcare settings, including hospitals, private clinics and online settings) and certain digital service providers that work in the Pharmaceuticals and Life Sciences sector. As the COVID-19 pandemic highlighted the importance of a fully operational Pharmaceuticals and Life Sciences sector and the Government has made it clear that it wants more entities to be within the scope of the new legislation, we will likely see a large number of Pharmaceuticals and Life Sciences businesses being captured - particularly as the NIS2 applies to the research sector and includes the manufacturing of pharmaceutical and medical devices within its scope.

Assuming the Government takes forward the elements outlined in the previous section, those in the Pharmaceuticals and Life Sciences sector should therefore anticipate a greater compliance burden under the new legislation and ensure that they have the infrastructure and resources to meet this.

To prepare, and in the interests of good practice, we recommend that businesses take the following steps:

  • Ensure that employees are up to date with their cybersecurity training and are aware of risks and how to mitigate them, particularly when working with and sharing data.
  • Assess their cyber health and remedy any weak points.
  • Keep abreast of updates, to help manage the additional work likely required between the introduction of the Bill and when it comes into force.
  • Be prepared to invest in cybersecurity measures or infrastructure to comply with additional requirements. Those in the Pharmaceuticals and Life Sciences sector should expect the cost of this to be passed down the supply chain and be prepared for less competitive prices within the market.

Start-ups should also bear in mind that there may be additional costs that will need to be taken into consideration when starting out or looking to scale in view of the new legislation. The EU has recognised the financial impact of complying with the NIS2, particularly upon the manufacturing market and smaller companies, and there is likely to be similar costs involved in connection with the Bill.

UK-based businesses who supply to or operate within the EU (particularly those involved in healthcare, research, or manufacturing) should also be mindful of the EU regime and should consult the new NIS2 as there may be some additional cyber security requirements they need to implement.

We understand that this area of law can be complex. Our information law team can provide training and guidance in relation to cyber security legislation and advise you on what practical steps to take. If this is of interest, please get in touch with us.


If you would like to discuss this article or would like to discuss how we might be able to assist you, such as through specific advice or training, please contact Andrew Gallie in our Information Law team on 07467 220 831, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input