The UK government has announced proposals to strengthen cyber defences for essential public services like healthcare, drinking water providers, transport and energy. The move comes as new research suggests the cost of attacks is almost £15bn annually.

The Cyber Security and Resilience Bill is intended to strengthen national security and boost cyber protections for some of the country’s most essential services. Under the proposals, medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having plans in place to deal with the consequences.

Regulators will also be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they would have to meet minimum security requirements, shutting down gaps in supply chains criminals could exploit which could cause wider disruption.

New independent research shows the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7bn a year across the economy.
Liz Kendall, science, innovation, and technology secretary, said: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.

“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

Earlier this year, the government published the Cyber Governance Code of Practice setting out clear steps organisations should take to manage digital risks and safeguard their day-to-day operations. The latest proposals follow recent cyber-attacks on managed service providers. In 2024, hackers accessed the Ministry of Defence’s payroll system via a managed service provider, while other recent attacks such as the Synnovis incident in the NHS resulted in over 11,000 disrupted medical appointments and procedures and some estimates suggesting costs of £32.7m.

---