The UK's Critical National Infrastructure (CNI) is now more technologically dependent than ever before. However, as reliance on digital systems and remotely operated and monitored technologies grow, so too do the risks, making the security and resilience of CNI a national priority.
To address both existing and future threats to CNI, the UK has taken several key steps:
- Regulatory oversight has evolved to include scrutiny of supply chain risks.
- Legislation is being modernised to reflect the growing complexity of cyber risks.
- Enforcement mechanisms are increasingly shifting from a reactive to a proactive approach, and beyond 'best efforts' to hard obligations.
The question now is: what will the future of CNI cyber regulation look like?
Regulating CNI supply chains
Supply chain cybersecurity has historically often been a secondary priority, the first priority being to manage known issues and vulnerabilities for the CNI operators themselves. This too was reflected in regulation, with the regulations focusing primarily on securing CNI operators themselves rather than their third-party dependencies. However, the increasing frequency of supply chain cyberattacks, such as the 2023 Capita data breach which impacted government and pension services, has accelerated regulatory changes. The Telecommunications (Security) Act 2021 is an early example of the UK legislating to manage supplier-related risks. Today, updates to the UK's Network and Information Systems (NIS) Regulation and the new EU Digital Operational Resilience Act (DORA) also seek to significantly extend direct cybersecurity obligations to managed service providers, a recognition that businesses providing essential digital services are themselves integral to CNI.
The UK’s 2022 National Cyber Strategy also emphasises supply chain security, pushing for greater regulatory scrutiny of software providers, cloud computing firms, and third-party IT vendors. However, this raises an important question: if supply chain security is a priority, how far down an organisation's supply chain does the regulatory oversight stop?
While recent UK legislation has taken steps towards addressing supply chain risks, there is no clear answer from a regulatory perspective. In practice, most organisations seek to secure their supply chain in contract, together with governance around supplier procurement and ongoing engagement. Typically, though, that is directed at the suppliers that are next in line in the supply chain (although, commonly, contracts should put an obligation on each supplier to have adequate safeguards in relation to the their suppliers). The reality is that, with digital interconnectivity growing, even small software providers or cloud-hosted services can have cascading impacts on national security. Indeed, this hidden "concentration risk" has been a cause of concern for regulators, particularly in supply chains where there are highly specialised, but relatively few, providers of certain technologies and services.
Yet, regulating every link in the supply chain would likely create an overwhelming compliance burden, particularly for SMEs. As policymakers refine supply chain regulations, the key challenge will be ensuring robust oversight without stifling innovation or imposing unrealistic demands on businesses.
The convergence of CNI and national security
Cyber resilience is no longer just an operational concern—it has been a national security priority for some time, especially in the context of CNI, where the risks and potential impact of cyber threats are well established.1 Governments across the globe are increasingly treating cybersecurity as a critical element of national security, especially as cyber threats target essential services within CNI. For instance, the National Security and Investment Act (NSIA) grants the UK government sweeping powers to scrutinise and block foreign investments and acquisitions on national security grounds, which reflects a broader strategy to manage foreign control over technologies that could impact cybersecurity and national security. This highlights a growing perception of risk associated with foreign ownership and/or operational influence on CNI, or in critical services such as manufacturing, telecommunications, or cutting-edge technologies such as artificial intelligence or quantum-resistant cryptography.
In an era where foreign influence extends beyond physical infrastructure to data, networks, and digital assets, and the dangers associated with "pre-positioning" as signalled by the UK's NCSC at CyberUK2024, it is likely that the government may implement further cyber risk assessments in M&A deals involving CNI – as governments increasingly view CNI-related risk as a strategic and geopolitical issue, rather than merely a matter of corporate governance.
Stronger compliance and enforcement: Moving beyond 'best efforts' to hard obligations
In addition to heightened ownership controls, CNI operators are now subject to stricter compliance obligations. Historically, with the exception of some specific sectors (such as nuclear), the UK's approach to CNI cybersecurity regulation was largely reactive, with regulators intervening after security incidents occurred and penalties reserved for serious failings. Organisations were, to a much greater extent, themselves responsible for implementing appropriate security measures within broad regulatory principles, and for policing their own compliance.
Recognising this, in 2022, the UK government's National Cyber Strategy outlined a commitment to tougher regulatory interventions, focusing on mandatory resilience standards, real-time monitoring and stricter reporting requirements. This was also evident in the government's 2022 consultation on NIS reform which proposed expanding the scope of NIS regulations to cover more sectors, including managed service providers, but also, suggested moving towards a more proactive and prescriptive enforcement model which is reflected in the proposed Cyber Security and Resilience Bill as it seeks to introduce harsher penalties for cybersecurity breaches and greater regulatory oversight of IT infrastructure.
What Comes Next for CNI Operators?
The future of CNI cybersecurity regulation appears to be intensifying as the UK government increasingly recognises cybersecurity threats and their systemic impact on CNI. CNI operators are not only expected to be prepared for breaches, but resilient to threats too. Over time, more sectors may come within the ambit of CNI and fall under the same statutory footing as traditional CNI sectors like water and energy. As the UK government looks to shore up regulators' inspection and enforcement powers, time will tell if they will use these to impose fines for non-compliance, which the regulator has traditionally been cautious with doing.
For CNI operators, this means embedding cybersecurity into their core business operations and ensuring that it is taken seriously at the board level. Organisations should take proactive steps to stay ahead of regulatory changes by pro-actively assessing themselves against the Cyber Assessment Framework published by the NCSC, and by taking account of the more prescriptive rules set out in NIS2, ensuring they are adaptable and future-proof while awaiting the finalisation of the Cyber Security and Resilience Bill.
The Home Office's suggested proposal of a statutory ban on ransom payments by public-sector bodies and owners/operators of Critical National Infrastructure is also likely to have significant operational consequences. If enacted, this would mark a major shift in the legal landscape – removing the “last resort” option from many operators’ incident playbooks and forcing a renewed focus on backup resilience, systems redundancy, robust recovery capabilities and crisis decision-making. This shift, if enacted, will likely raise the bar for what constitutes adequate resilience, particularly in CNI sectors where service continuity is critical. Boards, executive and incident response teams will also need to revisit their incident response planning to cater for the new regulated landscape.
1 https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/1708/170807.htm
Key contacts
Andrew Moir
Partner, Intellectual Property and Head of Cyber Security and Data, London
Joseph Falcone
Partner, New York and Washington, DC
Cameron Whittfield
Partner, Melbourne
Peter Dalton
Partner, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.