UK bill would extend cyber rules to tech firms, add revenue fines

The UK government has introduced the Cyber Security and Resilience Bill to Parliament, expanding Network and Information Systems rules to a wider set of technology and managed service providers and adding revenue-based penalties for noncompliance.

According to the Department for Science, Innovation and Technology, the measure brings IT management, technical support, and cybersecurity service providers under the same obligations that apply to entities already covered by NIS regulations. The aim is to strengthen network and data security across business and public services by improving incident reporting and response and by limiting risks to critical infrastructure and corporate networks.

Under the bill, fines for breaches could be calculated as a proportion of a company’s annual turnover. The proposal would also grant the technology secretary authority to direct regulators and organizations to put in place preventive measures where cyber threats are judged to raise national security concerns.

The package includes safeguards against the misuse of artificial intelligence to generate child sexual abuse material. Trusted organizations, including AI developers and charities, would be authorized to test models for vulnerabilities before harmful content can be produced, with the goal of detecting risks earlier in development.

Government materials indicate the bill is designed to align UK standards with European Union rules and to strengthen defenses against state-sponsored activity, citing threats attributed to China, Iran, and North Korea.

The department referenced independent research estimating the average cost of a serious cyberattack in the UK at £190,000 per incident and roughly £14.7 billion a year across the economy. Officials view expanded oversight of service providers as a way to address a common pathway for intrusions, given the access these companies hold to client systems.

Science, Innovation and Technology Secretary Liz Kendall characterized the legislation as reinforcing the UK’s approach to cyber threats and aimed at protecting public services, businesses, and citizens.

The bill has been submitted to Parliament and will proceed through the legislative process before any provisions take effect.

As GNcrypto covered previously, the UK Serious Fraud Office opened a major probe into the Basis Markets scheme, where investors are believed to have lost about $28 million. Officers searched premises in south London and near Bradford, arresting two men on suspicion of crypto fraud and money laundering. The SFO said it was its first publicly announced large-scale crypto case, and Director Nick Ephgrave noted the office is expanding its digital-asset capacity. In early November, a London court sentenced Zhimin Qian for laundering tied to the record seizure of 61,000 bitcoin.