Supporting the Plan for Change, the Cyber Security and Resilience Bill strengthens national security and protects growth by boosting cyber protections for the services that people and businesses rely on every day.

Under the proposals:

• medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations will be regulated for the first time. They will need to meet clear security duties, which includes reporting significant or potentially significant cyber incidents promptly to government and their customers, as well as having robust plans in place to deal with the consequences
• regulators will be given new powers to designate critical suppliers to the UK's essential services such as those providing healthcare diagnostics to the NHS, where they meet the criteria.
• enforcement will be modernised, including tougher turnover-based penalties for serious breaches
• the technology secretary gets new powers to instruct regulators and the organisations they oversee to take specific, proportionate steps to prevent cyber-attacks where there is a threat to UK national security. This includes requiring that they beef up their monitoring or isolate high-risk systems to protect and secure essential services.

Science, innovation, and technology secretary, Liz Kendall, said: ‘Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I'm sending them a clear message: the UK is no easy target.

‘We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.'

National Cyber Security Centre chief executive, Dr Richard Horne, said: ‘The real-world impacts of cyber-attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.

‘As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.'

National chief information security officer for health and care at DHSC, Phil Huggins, said: ‘The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for. The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.

‘Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape.'

Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to help build a stronger national picture of cyber threats. If a data centre, or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers which are likely to be impacted promptly so organisations can act fast to protect their business, people and services.

The Bill will bring data centres, which are used for patient records, email services and AI development, into scope of the regulations, ensuring they meet robust cyber-security standards.