Marks and Spencer's Cyber Attack Incident

As Marks & Spencer (M&S) is forced to pause online orders in the fallout from a recent cyber-attack, we consider if the new cyber laws will help other businesses prepare to face this threat.

The Cyber Attack

The popular retailer has suffered a “cyber incident” which has led to the suspension of its online retail services since Friday. M&S join an increasingly long list of consumer businesses, including Morrisons and Barclays, which have been affected by cyber issues that have damaged sales as well as reputation. 

Continuous cyber attacks at key times of the year for businesses providing online services disrupts their own business as well as the wider economy.

New Cyber Laws

What are they and when were they announced?

The Cyber Security and Resilience (CS&R) Bill was announced in the King’s Speech in July 2024. While we are still awaiting the introduction of the Bill to Parliament, the Department for Science, Innovation and Technology (DSIT) published its ‘Cyber security and resilience policy statement ’ at the start of April 2025. This gives an indication to what the key focus and measures are likely to be.

The government has stated that the purpose of the Bill is to “address vulnerabilities in our cyber defences to minimise the impact of attacks and improve resilience in our critical infrastructure, services and digital economy”. The Bill will cover all sectors and be implemented across the UK. The government views this as an opportunity to set a global standard for cybersecurity regulation.

Why do we need the Bill?

The UK’s current cross-sector legislation on cybersecurity is primarily derived from the Network and Information Systems Regulations 2018. Since then, other countries have introduced more modern and comprehensive legislation. DSIT’s policy statement refers to the influence the EU’s NIS2 regime has had on the policy proposal in the statement.

Not only have large corporations such as M&S been affected, but also key public bodies and infrastructure. The cyber-attack on Synnovis in June 2024, a key service provider to the NHS, caused over 11,000 appointments and procedures to be postponed. 

Cyber-attacks can have a wider impact when they affect supply chains.  Any supply chain will usually hold a large quantity of data which could affect multiple parties in the supply chain; many of whom might not be prepared for the risk of a cyber-attack.

What will the Bill achieve?

The Bill is set to bring more entities within the scope of the regulations, including Managed Service Providers (circa 1000 providers are estimated in the UK) and key suppliers. This will place further duties on these entities to improve security and compliance. There will also be increased duties on key service providers to check the security of their supply chain.

Regulators will be empowered to tailor the requirements for each sector, increase reporting standards for cyber incidents to encourage transparency and the government will provide the Information Commissioners Office with more powers to gather the further information required to anticipate and alert entities of key cyber threats.

The Bill is intended to be flexible to keep up with the fast-paced nature of cybercrime. The Secretary of State will be granted powers to update the framework of the regulations without resorting to the often slow process of primary legislation, including imposing new duties on entities already within the scope of the regulations and widening the scope itself.

DSIT has introduced additional proposals in its policy statement. These would further extend the scope of the regulations by including data centres within the scope of the Bill and to introduce a list of strategic priorities for regulators. DSIT has also recommended that there are executive powers for the government to respond to cyber threats for national security purposes.

NCSC views

The National Cyber Security Centre (NCSC) has welcomed the proposals in DSIT’s recent policy statement. Jonathan Ellison, Director of National Resilience for NCSC, stated  that these “offer a real opportunity to tackle increasing acceleration and diversification of cyber threats to UK critical sectors” and along with the additional measures under consideration, “give the UK some of the strongest protections in the world against advanced attackers”.

We await to see the full measures of the CS&R Bill upon its introduction to Parliament later this year. The Bill is a key policy for the government in its aims to strengthen national security and create a strong and secure environment for businesses and public bodies to operate and grow.