Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

determining whether the effect that a security compromise has – or would have – on the opera - tion of a network or service is “significant”, cer - tain matters should be considered, including the length of the period during which the operation of the network or service is or would be affected, the number of affected persons, the geographi - cal size and location affected, and the extent to which activities of persons who use the network or service are or would be affected by the effect on the operation of the network or service. 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation There are numerous cybersecurity frameworks that are expressly or implicitly recognised by UK cybersecurity regulators. By way of example, the ICO recommends that organisations review the UK Cyber Essentials scheme (a UK government- and industry-backed scheme), which provides basic guidance to organisations on how to pre - vent and limit the impact of cyber-attacks. Similarly, Ofcom repeatedly references the Inter - national Standard for Organization (ISO) stand - ards in its Guidance on Security Requirements. In addition, Ofcom comments that the controls in the UK’s Cyber Essentials scheme should be implemented and exceeded; according to Ofcom, obtaining the Cyber Essentials Plus certification is “a powerful way to demonstrate this”. Regarding the NIS Regulations, the NCSC has published 14 cybersecurity and resilience prin - ciples that provide guidance in the form of the Cyber Assessment Framework (CAF). The CAF

is particularly relevant to OESs that are subject to the NIS Regulations. Lastly, the most used account and payments data security standard, the Payment Card Industry Data Security Standard (PCI DSS), was revised. Version 4.0 was published on 31 March 2022.

6. Cybersecurity in Other Regulations

6.1 Cybersecurity and Data Protection As mentioned in 1.2 Cybersecurity Laws , the UK GDPR and the DPA contain cybersecurity obligations in relation to the processing of per - sonal data. The UK GDPR and the DPA apply to: • all organisations established in the four coun - tries of the UK (ie, England, Northern Ireland, Scotland and Wales); and • organisations not established in the UK processing personal data of data subjects in the UK to offer them goods or services or to monitor their behaviour. The UK GDPR requires that controllers and processors implement “appropriate” technical and organisational security measures, taking into account the state of the art, costs of imple - mentation, and the nature, scope, context and purposes of the processing of personal data, as well as the risks of such processing to the data subject’s rights (eg, from accidental or unlaw - ful destruction, loss, alteration, or unauthorised disclosure of – or access to – personal data transmitted, stored or otherwise processed by the organisation). The UK GDPR itself sets out examples of “appro - priate” security measures, which are:

332 CHAMBERS.COM

Powered by