Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

1. General Overview of Laws and Regulators 1.1 Cybersecurity Regulation Strategy The UK cybersecurity legal system is well devel - oped and is similar to the legal systems across the European Economic Area (EEA), rather than the USA – although post-Brexit, divergence in approach to cybersecurity regulation by the EU and the UK are starting to emerge. Since the GDPR came into force in 2018, the enforcement of cybersecurity rules in the UK continues to be a focus, particularly by the UK data protection regulator, the Information Commissioner’s Office (ICO). In 2025, the UK looks set to introduce new legislation to address the changing cyberthreat landscape and more closely align UK law with developments in the EU (such as the Network and Information Systems Directive 2 (the “NIS 2 Directive”) – see 2. Critical Infrastructure Cyber- security for further detail. The UK government has also signalled an over - haul of its ability to assist and promote cyber - security through its national cyber strategy for 2022 (the “National Cyber Strategy”), as well as through its government-specific Govern - ment Cyber Security Strategy for 2022–30. The National Cyber Strategy takes a “whole of socie - ty” approach, with the aim of shifting the burden of cybersecurity from individual citizens to the organisations and professionals best placed to manage cyber-risks. The National Cyber Strat - egy is comprised of five pillars, which it is work - ing to achieve by 2025: • strengthening the UK cyber ecosystem – by investing in people and skills, and deepening the partnership between government, aca - demia and industry; • building a resilient and prosperous digital UK – by reducing cyber-risks so that businesses

can maximise the economic benefits of digital technology and provide more security for UK citizens online; • taking the lead in technologies vital to cyber power – by building industrial capacity and developing frameworks to secure future tech - nologies; • advancing UK global leadership and influ - ence for a more secure, prosperous and open international order – by working with govern - ment and industry partners and sharing the expertise that underpins UK cyber power; and • detecting, disrupting and deterring adversar - ies to enhance UK security in and through cyberspace – by making more integrated, creative and routine use of the UK’s full spec - trum of levers. The National Cyber Strategy also proposes a number of regulatory reforms, including but not limited to increasing the scope of the Network and Information Systems Regulations (the “NIS Regulations”) (see 2. Critical Infrastructure Cybersecurity for further detail). 1.2 Cybersecurity Laws The UK has a well-developed – and growing – network of civil and criminal laws relating to cybersecurity, contained in UK legislation, com - panion rules made under such legislation, deci - sions of UK courts, and a steady stream of regu - latory guidance from UK regulators. Key cybersecurity requirements imposed on organisations in the UK, or on organisations that are established outside the UK but are pro - cessing personal data of individuals located in the UK, are derived from the UK General Data Protection Regulation (the “UK GDPR”), as sup - plemented by the UK Data Protection Act 2018 (DPA).

321 CHAMBERS.COM

Powered by