UK’s new cybersecurity bill threatens £100K daily fines

But industry levels accusations of hypocrisy

The UK’s new cybersecurity bill threatens datacentres, MSPs and more with £100,000-a-day fines for security failures.

Technology Secretary Peter Kyle has unveiled the full details of the UK's landmark Cyber Security and Resilience (CSR) Bill, outlining sweeping new measures to fortify the nation's critical infrastructure against escalating cyber threats.

The bill, slated for parliamentary introduction later this year, includes provisions for daily fines of £100,000 for organisations failing to comply with government-mandated security directives.

The legislation was initially previewed in the King's Speech in July last year, following the change of government.

The CSR bill seeks to strengthen the existing Network and Information Systems (NIS) regulations from 2018 by holding organisations accountable for cybersecurity measures.

This week Kyle outlined the bill's three core pillars: expanding regulations to encompass more organisations, enhancing regulatory enforcement powers, and ensuring the government can swiftly update cybersecurity regulations to counter evolving threats.

Under the proposals more organisations, including datacentres, managed service providers (MSPs) and “critical suppliers,” will be brought under cybersecurity regulations to protect the IT supply chain.

Regulators will also have greater powers to ensure compliance, including mandatory incident reporting within 24 hours and a full incident report submission within 72 hours.

Kyle highlighted the urgency of these measures, citing past cyberattacks such as Cloud Hopper, which targeted MSPs, and a recent breach of the Ministry of Defence's personnel system.

The bill grants the government power to issue ad-hoc directives requiring security improvements in response to specific threats. Failure to comply could result in severe penalties.

Organisations failing to patch known vulnerabilities within specified timeframes may face daily fines of £100,000 or 10 per cent of their turnover until compliance is achieved.

Further amendments to the bill are being considered and may be introduced during parliamentary review.

The bill could bring datacentres under regulatory scope, recognising their importance in national security. The government may also establish a Statement of Strategic Priorities, ensuring long-term cybersecurity objectives are updated every three to five years.

The UK already classifies datacentres as critical national infrastructure (CNI). If included in the CSR bill, up to 182 of the UK's 224 colocation datacentre sites could fall under regulatory oversight.

Kyle said that briefings from intelligence chiefs shortly after the Labour party's election left him "deeply concerned" about the current state of cybersecurity. He cited recent attacks on Synnovis, Southern Water, and local authorities as evidence of the escalating threat landscape.

What does the industry think?

Bronwyn Boyle, CISO at financial services firm PPRO, was supportive of the government’s initiative. She told CRN sister publication Computing:

"The bill is a solid step forward to protect UK critical infrastructure at a time of ever-increasing cyber threats and geopolitical instability. The security of our supply chain is absolutely vital: a robust supplier ecosystem is essential to ensure digital safety and protect against crippling incidents that can quickly proliferate and cause devastating impacts.

“I'm hopeful the Bill will be strengthened in the future to include explicit focus on resilience testing and preparedness and on cross-sector collaboration that further strengthens our protective and defensive posture."

Nick Ioannou, information security manager at Goodlord, told us the bill means well but is held back by existing technology:

“Legacy systems and industrial control systems don't go well with the current version of Cyber Essentials. Nor do medical devices with embedded operating systems, expected to be in use for over a decade. The whole supply chain needs to factor in security, starting with the manufacturers.

“The bill means well, but if the technology you have to use is the only option available and full of vulnerabilities, we are just tinkering around the edges.”

Open Rights Group's (ORG) platform power programme manager James Baker, welcomed the CSR bill. However, he highlighted some hypocrisy from the Labour government:

"ORG welcomes legislation to protect and improve the UK's cyber security. But a key component of any cyber security strategy has to be the promotion of strong encryption for both the state and the public."

"The UK cannot claim to be strengthening the country's cyber defences while at the same time issuing notices to companies like Apple and demanding that they reduce the security of the services they offer.

"This Bill is also an opportunity to assess and reduce the UK's dependence on large US corporations for vital government infrastructure. Other countries – such as France and the Netherlands – are already debating how to do this, through open-source software for example. The UK is subject to the same risks so needs to assess our dependence in the same way."

Etay Maor, chief security strategist at Cato Networks, called the bill "a necessary evolution in regulatory thinking."

He said, "This bill is a necessary course correction. When attackers hit London hospitals by compromising an MSP, it wasn't just a breach, it was a failure in how we delegate trust.

“MSPs aren't just supporting players; they have privileged access, deep integration, and wide operational reach. Treating them like passive vendors ignores the fact that when one falls, the blast radius is massive. Including them in the regulatory framework isn't overreach, it's essential risk management.

"While the Bill rightly focuses on MSPs and datacentres, it must also anticipate the impact of AI... As generative models empower even novice attackers to build malware with simple prompts, regulation must look beyond infrastructure and consider the evolving landscape of malicious intent.”

This article originally appeared on CRN UK sister website Computing.