UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
must be reported to the ICO. The ICO is, in turn, responsible for investigating the breach and tak - ing any subsequent enforcement action. However, with regard to the CA 2003 (which is a companion legislation to the PECR), Ofcom is the primary regulator. Pursuant to Section 105C of the CA 2003, Ofcom may carry out an audit of the security measures taken by a network pro - vider or a service provider under Section 105A. Notifiable security breaches under Section 105 of CA 2003 must be reported to Ofcom, which is in turn responsible for investigating the breach and taking any subsequent enforcement action. CMA Although there is no regulatory authority with oversight of the CMA per se, the provisions of the CMA are enforced by the UK Crown Prose - cution Service (CPS), which is the public author - ity responsible for prosecuting the majority of criminal cases in the UK. The CPS is notified of CMA investigations and potential offences by the police and other investigative organisations in England and Wales. See 4.2 Key Obligations Under Legislation for more information. PSTI The Office for Product Safety and Standards is responsible for enforcing the PSTI Act. Non- compliance with the PSTI Act can result in fines of up to GBP10 million or 4% of a company’s global turnover (whichever is greater), as well as up to GBP20,000 per day in the case of an ongo - ing contravention. National Cybersecurity Security Centre The NCSC is the key UK cybersecurity agency, co-ordinating UK cybersecurity policy and tech - nical standards, particularly with regard to the NIS Regulations and the UK GDPR. The NCSC acts as the national computer security incident
response team (CSIRT) under the NIS Regula - tions and supports organisations that suffer cybersecurity incidents. It also acts as a “sin - gle point of contact” for competent authorities under the NIS Regulations. Following Brexit, the UK has forfeited its position on the EU Agency for Cybersecurity (ENISA); however, some oper - ational co-operation continues in order to allow for improved cybersecurity across Europe. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation The regulation of cybersecurity for critical infra - structure in the UK is primarily governed by the NIS Regulations. See 1.2 Cybersecurity Laws for a summary of the scope of the NIS Regula - tions. On 17 July 2024, the UK government intro - duced the CS&R Bill, intended to strengthen UK defences against cyber-attacks and protect critical infrastructure. The briefing note on the CS&R Bill suggests it will update the UK’s cyber regulatory framework by: • expanding the scope of the NIS Regulations to cover “more digital services and supply chains”; • giving further power to regulators to ensure measures are being implemented; and • mandating increased incident reporting to provide a better picture of the threat land - scape and cyber-attacks. It is expected that the CS&R Bill will be intro - duced in Parliament in 2025.
324 CHAMBERS.COM
Powered by FlippingBook