Cybersecurity

Latest developments

The Network and Information Systems Regulations 2018

While Member States in the EU work to implement local laws in order to give effect to EU Directive 2022/2555 (“NIS 2”), which is set to replace the EU’s  NIS Directive, UK progress on updating the Network and Information Systems Regulations 2018 (“NIS Regulations”) has been relatively silent. On 30 November 2022, the UK Government confirmed that the ongoing public consultation on proposals for legislation to improve the UK’s cyber resilience regime will lead to changes being made to the UK’s cybersecurity regulations, including the introduction of requirements to managed service providers. However, that was based on a consultation in 2020 and it remains to be seen whether the next Government will proceed with these plans. 

The Computer Misuse Act 1990

Similarly, the 6 April 2023 saw the end of a UK Government consultation paper to amend and update the Computer Misuse Act 1990 as part of the UK Government’s attempts to modernise and reform UK cybersecurity legislation, but the response paper has not yet been published. 

Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

The new UK consumer connectable product rules in the Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 came into force on 29 April 2024. Manufacturers, distributors and importers of connected products that are in scope will need to keep in mind these requirements when making their products available on the market.

Summary

In summary, whilst national security and cybersecurity are very much in focus in the UK, there are currently no plans for significant changes to the underlying legislation at this time. 

How could it be relevant for you?

The Network and Information Systems Regulations 2018

Although it is unclear when the NIS Regulations will be updated, it remains a central piece of legislation for cybersecurity in the UK and is increasingly the focus of the regulator the ICO.

The Computer Misuse Act 1990

While the Computer Misuse Act does not impose security obligations on businesses, organisation should still be aware of three new powers proposed to be given to law enforcement agencies under the Computer Misuse Act 1990:

1. Power to take control of domains and internet protocol (IP) addresses where these are being used by criminals to support a wide range of criminality, including fraud and computer misuse.
2. Power to require the preservation of computer data in order to allow a law enforcement agency to determine whether the data would be needed in an investigation.
3. Power to allow action to be taken against a person possessing or using data obtained by another person through a Computer Misuse Act 1990 offence, such as accessing a computer system to obtain personal data (subject to appropriate safeguards).

Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

Manufacturers, distributors and importers, of UK consumer connectable products are now legally required to comply with minimum security requirements, including minimum password requirements, minimum security update periods, the provision of statements of compliance and providing security contact points. 

Next steps

It is important for organisations that do business in the UK to continue to monitor developments so that they are prepared for any new compliance and reporting measures that they may need to introduce into their business processes. In particular, companies should be looking to make sure that they:

1. Identify whether any of their business units or subsidiaries fall within the scope of the cybersecurity regimes discussed: It is important that organisations understand if they will be captured under the UK’s evolving regulations. In some cases, a sector may fall under one regime, but not the other.
2. Adopt a proactive approach to security: Organisations should be allocating appropriate resources early on in order to assess their current risk management and cybersecurity processes to identify any gaps that need to be addressed in order to ensure that they are able to comply with the cybersecurity regimes, and in particular, any changes or updates introduced, that are applicable to them.
3. Have a detailed knowledge and understanding of their systems: A clear understanding of security implications for all system assets, plus those provided or managed by third parties, is essential.
4. Develop detailed incident handling processes: Organisations must ensure that they have proper incident handling in place with prepared materials, processes and procedures to follow in the event of incident, and that their employees are sufficiently trained to implement these.

Written by James Moss, Anthony Rosen, Matthew Buckwell and Rory Coutts 

*Information is accurate up to 1 July 2024