NHS suppliers required to meet robust measures under Cyber Bill

The government has published its plans for the Cyber Security and Resilience Bill, which aims to boost cyber defences for public services including the NHS.

The Bill, which is expected to be introduced to Parliament in 2025, was first announced in the King’s Speech in July 2024, with the new legislation intended to improve UK cyber defences and prevent attacks similar to the Synnovis ransomware attack in June 2024 which impacted London pathology services.

Proposals in the Cyber Security and Resilience Bill policy statement, published on 1 April 2025, require more organisations and suppliers, including data centres, managed service providers and critical suppliers, to meet robust cyber security requirements.

Wes Streeting, health secretary, said: “Cyber attacks are becoming increasingly sophisticated and create real risks for our health service if we do not act now to put the right protections in place.

“We are building an NHS that is fit for the future. This bill will boost the NHS’s resilience against cyber threats, secure sensitive patient data and make sure life-saving appointments are not missed as we deliver our Plan for Change.”

Around 1,000 service providers will fall in the scope of measures, which will require third-party suppliers to boost their cyber security in areas such as risk assessment to minimise the possible impact of cyber attacks and improve their data protection and network security defences.

Regulators will have more tools to improve cyber security and resilience in the areas they regulate, with companies required to report more incidents to help build a stronger picture of cyber threats and weaknesses in online defences.

If the proposals are adopted the government would also have greater flexibility to update regulatory frameworks when needed, to respond swiftly to changing threats and technological advancement.

This could include extending the framework to new sectors or updating security requirements.

Peter Kyle, technology secretary, said: “Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.

“The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”

Commenting on the plans, Andrew Rose, chief security officer at cyber security firm SoSafe, said: “While it’s positive to see a crackdown on security measures, supply chains, reporting and regulation, it’s essential that the government address the ‘elephant in the room’ – that most cyber attacks target human vulnerabilities rather than technological ones.

“Training and educating staff must be a priority. The importance of providing your first line of defence – your people – with the necessary tools and knowledge to deter criminals should not be underestimated by both the government and businesses.”

An online survey from BT, carried out between 8 September 2024 and 16 September 2024, found that 60% of NHS staff want more cyber security training, and only 36% believe current cyber measures are sufficient.