Pictured: Stuart Davey and Malcolm Dowden

MPs challenged if regulators such as the Information Commissioner’s Office would have the capacity and technical capability to manage the increased scope of service providers and platforms which would come under their scrutiny as part of the Cyber Security and Resilience Bill.

A particular focus of MPs was the ability of companies and organisations, which now fall under the scope of regulation for the first time, to manage the increased costs and demands of compliance. Such organisations include small and medium sized relevant managed service providers, and critical suppliers to UK infrastructure such as healthcare, water and energy firms.

Many of the comments of MPs focused upon ensuring an appropriate and proportionate regulatory burden, including by ensuring the scope captures the right entities and excludes lower risk smaller organisations.

The debate will likely set the tone for the areas of scrutiny the bill will face as it passes through the Commons and which is due to go to committee before the beginning of March, and it comes as the UK government unveiled its new £210 million cyber action plan, aimed at improving the resilience of public services online.

Digital minister Ian Murray, MP, said the new action plan would bolster the cyber defences of public sector bodies in the UK, including through the launch of a dedicated government unit dedicated to cybersecurity.

The bill proposes enabling regulators to enforce larger penalties based on turnover for serious cybersecurity breaches by companies with ties to significant UK infrastructure, strengthening the existing 2018 Network and Information Systems Regulations.

Tougher reporting requirements will also be brought in for operators of essential services, which will mean regulators and the National Cyber Security Centre must be notified of incidents within the first 24 hours, and full reporting within 72 hours, with tighter triggers for notification to include near-miss incidents alongside confirmed breaches, which are also included within the reporting requirements.

Concerns were raised that new incident notification rules could impose excessive administrative overhead or require disclosure before organisations have full situational awareness.

MPs have raised concerns that the definition of a managed service provider in the bill is currently too large, which risks ambiguity and unnecessary costs on companies.

Currently they are classed as a person who provides managed services in the UK - even if the person is not established in the UK - and is not a small or micro enterprise, although bodies subject to public authority oversight or making less than half their income commercially are exempt.

Royal assent is not anticipated until well into 2027, with full implementation taking a year or so from there. Although the timeline is quite protracted, there will be a need for all potentially impacted organisations to track it closely and to make use of the time for preparation and implementation of new procedures.

Stuart Davey is a partner and Malcolm Dowden is a senior practice development lawyer at Pinsent Masons