Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

“PSTI Regulations”), which set out conditions for deemed compliance with security standards, including compliance with relevant parts of ETSI EN 303 645 or – in some cases – ISO/IEC 29147. Schedule 1 of the PSTI Regulations includes the following security requirements for manufactur - ers: • all UK consumer connected products pass - words must be unique and incapable of being reset to any universal factory setting; • manufacturers, importers and/or distributors of UK consumer-connected products must provide a public point of contact for reporting vulnerabilities and these must be acted on in a timely manner; and • manufacturers, importers and/or distributors of UK consumer-connected products explicit - ly state the minimum length of time for which the device will receive security updates at the point of sale. CMA As mentioned in 1.2 Cybersecurity Laws , a key offence under the CMA (Section 1) is where a defendant obtains “unauthorised access” to a computer. Although the CMA primarily applies to offences committed within the UK, it allows for prosecutions to be brought in the UK where some or all of the offending acts were commit - ted outside the UK – reflecting the trans-border nature of many cybersecurity-related offences. By way of example, Section 1 of the CMA can apply to offending acts committed outside the UK and can – as a result – be prosecuted in the UK where there is “at least one significant link with the domestic jurisdiction”. A significant link can include where:

• the accused is in a relevant country of the UK (England, Wales, Scotland and Northern Ireland) at the time of the offence; • the target of the CMA offence is in a relevant country of the UK; or • the technological activity that has facilitated the offending may have passed through a server based in a relevant country of the UK. An offence committed under the CMA is pros - ecuted through the UK courts by the CPS. When determining whether to bring a prosecution under the CMA, the CPS must be satisfied that there is enough evidence to provide a “realistic prospect of conviction” against each defend - ant and that the public interest factors tending against prosecution outweigh those tending in favour. Offences under the CMA can carry imprisonment or a fine (or both). In addition, a serious crime prevention order can be made against an individual or an organisation in rela - tion to a breach of the CMA. The UK government continues to progress amendments to the CMA, as for many years commentators have stated that the CMA has failed to keep pace with the cybersecurity land - scape. Commentators highlight issues with the ambiguity around the meaning of “authorisa - tion” and its subsequent impact on cyberse - curity professionals, as well as issues with the current jurisdictional scope of the CMA, given the international nature of many cybersecurity incidents. In November 2023, the UK govern - ment published responses to a consultation on proposed CMA reforms, noting that work will continue on engagement with private and pub - lic sector organisations to understand further impacts and mitigations in this area before it is considered for legislation.

330 CHAMBERS.COM

Powered by