Finance News

Are Banks & Fintechs Keeping Up?

26/04/2025
admin

Computer Hacker with UK flag in the background

By Jonathan Armstrong

As the UK prepares to implement its Cyber Security and Resilience Bill, Jonathan Armstrong outlines what businesses need to know and how they can act now. With mounting threats and tighter regulations ahead, organisations must proactively strengthen their cyber strategies to stay compliant, resilient, and ahead of emerging security risks.

Cybercrime is expected to cost the global economy $12 trillion by 2025, according to Forrester’s ‘Predictions 2025: Cybersecurity, Risk, and Privacy’ report[i]. Meanwhile, a survey by Cloudflare last year across 13 European markets found that 40% of organisations experienced a cybersecurity incident in the past year[ii]. In the UK, the 2024 Cyber Security Breaches Survey[iii] revealed that more than half of UK businesses suffered a breach or attack in the last 12 months

In response to these growing threats, law makers across the EU and the UK are stepping up efforts to ensure organisations adopt stronger cyber defences. With attacks becoming more frequent, sophisticated, and damaging, businesses are being urged to act now in preparation for the UK Government’s forthcoming Cyber Security and Resilience Bill.

Outlined in a Government policy statement on 1 April 2025, the legislation will significantly expand the UK’s cyber regulatory landscape. The Bill is set to extend existing frameworks, closely mirroring the EU’s NIS2 Directive, which started applying to businesses in October 2024 as a legal framework to uphold cybersecurity in 18 critical sectors across the EU. Many digital and B2B IT providers already adapting to NIS2 for their EU operations will now need to mirror those efforts within the UK.

What are the key changes?

Amongst the changes planned are the following:

More IT service providers in scope: The new Bill will expand the scope of the legislation to cover managed service providers (MSPs).  The formal definition of MSPs will include a significant number of B2B IT service providers.  The UK Government is still working on its formal definition of MSPs but estimates that an additional 900-1100 MSPs will come within the new regime.

Tight incident reporting deadlines: The new Bill will also introduce a two-stage reporting structure. When a significant incident occurs, in-scope companies will have to make an initial report within 24 hours and another more detailed report within 72 hours of the incident.  Reports will also have to be made to the UK National Cyber Security Centre (NCSC) as well as the relevant regulator.  In some circumstances customers will also have to be told.  The policy paper has specifically referenced its similarities with the NIS2 incident reporting timelines. 

More powers for the ICO: The new Bill will aim to enhance the Information Commissioner’s Office (ICO, the main data protection authority in the UK) powers to gather information and serve notices, as well as an expanded duty for some firms to share information with the ICO.  The ICO will also be the enforcement body for MSPs under the Bill. 

Data Centres: The UK Government is currently considering whether data centres will be explicitly classified as critical national infrastructure in the Bill.  If they are they will attract more regulatory oversight.

Critical Services Providers: The Bill will include new powers for regulators to designate a supplier as a critical service provider (CSP) “if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports.”  A CSP could be an SME even if it would be too small to fall under the UK’s existing NIS regime.  This might mean that some smaller businesses come within the regime for the first time.  It may also give regulators the power to single out some organisations for particular scrutiny.

Making the regulated contribute to their regulation.  The Bill will include an enhanced registration regime, with the intention that organisations pay registration fees to support the regulatory regime, and new powers proposed for the ICO to enforce payment.  The power to raise more money in registrations, coupled with the ability to designate even a micro business as a CSP, could mean a significant financial burden for some organisations.

How can businesses prepare? 

Here are some practical tips for businesses to keep in mind now:

  • Monitor developments. Work out the likely scope and impact on the organisation by keeping up to date with what’s happening with the Bill.
  • Look at processes and procedures. Most organisations now have a data breach reporting procedure to meet GDPR reporting deadlines. Like NIS2, the proposed new reporting obligations have tighter time limits and are likely to be wider in nature. Organisations should ensure their procedures reflect this. Also review any additional reporting requirements e.g.: those under DORA[iv], or the EU AI Act [v].
  • Train people. Ensure key personnel are up to date on new reporting obligations and incident management.
  • Look at the organisation’s response team. Make sure that they are ready to report when required in 24 hours.
  • Rehearse incidents. Experience shows that organisations which regularly rehearse realistic cyber security incidents handle them more effectively.
  • Look at and amend supplier contracts. Organisations may need suppliers to tell them more quickly about incidents given the additional reporting obligations.
  • Look at the technical and organisational measures (TOMs) used to keep your business secure. As technology moves on organisations need to check they are still best placed to defend the organisation from current threats, including AI based threats. The NCSC has information on current risks and practical guidance on prevention[vi].
  • Tell the board and audit committee about any increased liability. Make sure there are people on the board who understand the requirements of the Bill and cybersecurity risk more generally.

A Pan-European Imperative for Cyber Resilience

The UK’s Cyber Security and Resilience Bill signals a major shift in the regulatory landscape, but it shouldn’t be seen in isolation. Financial services organisations have already seen the winds of change with DORA and the changes to the UK operational resilience regime.  With the EU’s NIS2 Directive already in force and other global frameworks emerging, businesses must now treat cyber resilience as a strategic, cross-jurisdictional priority.

For European businesses, particularly those with UK operations or clients, aligning UK and EU compliance strategies will be key. There is an opportunity to streamline processes, raise security standards, and build a culture of cyber awareness throughout the organisation.

Ultimately, businesses that view this legislation as a catalyst for investment in people, processes, and technology will be better positioned to protect assets, maintain stakeholder trust, and gain a competitive edge in a highly regulated digital economy. Cyber risk knows no borders, neither should cyber preparedness.

About the Author

Jonathan ArmstrongJonathan Armstrong is a lawyer at Punter Southall Law working on compliance & technology. He is also a Professor at Fordham Law School. Jonathan is an acknowledged expert on AI and he serves on the NYSBA’s AI Task Force looking at the impact of AI on law & regulation.

References

[i] https://securitybrief.co.nz/story/cybercrime-to-cost-12-trillion-by-2025-says-forrester

[ii] https://www.cloudflare.com/en-gb/press-releases/2024/european-businesses-anticipate-more-cybersecurity-attacks-but-feel/

[iii] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024

[iv] https://puntersouthall.law/insights/eu-dora-regulation-operational-resilience-requirements/

[v] https://puntersouthall.law/insights/the-eu-artificial-intelligence-act/

[vi] https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024

#Banks #Fintechs #Keeping