Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

ICO’s own prosecution policy. Although the ICO has a number of enforcement tools available to it (including providing a caution to offend - ing organisations), the ICO’s Prosecution Policy Statement requires the ICO to consider aggra - vating factors in order to bring a prosecution instead of a caution. These include the accused breaching the law for financial gain, abusing a position of trust, or damage or distress being caused to data subjects. The maximum penalty for criminal offences under the DPA is an unlimited fine. Imprisonment is not available for conviction under any of the DPA offences. Defendants are entitled to normal rights of appeal against a conviction or sentence in the legal system. 6.2 Cybersecurity and AI On 26 November 2023, the US Cybersecu - rity and Infrastructure Security Agency (CISA), together with the UK’s NCSC, published joint Guidelines for Secure AI System Development (the “AI Guidelines”). The AI Guidelines aim to ensure that developers take a “secure by design” approach, integrating cybersecurity into the development process from the outset and throughout. The AI Guidelines cover secure design, secure development, secure deploy - ment, and secure operation and maintenance. Relatedly, in its annual review published on 3 December 2024, the NCSC noted the significant advances in AI that will enable and enhance existing challenges associated with cybersecu - rity. Work is currently underway by the DSIT to pro - duce a sector agnostic Code of Practice on Cyber Security of AI (the “AI COP”) to estab - lish the minimum cybersecurity standards that developers and system operators should incor - porate when building and using AI solutions. The

AI COP, which is voluntary, is based on the AI Guidelines and is intended to sit alongside the UK government’s 2023 White Paper “A pro-inno - vation approach to AI regulation”, which includes “Safety, Security and Robustness” as one of the five key principles – the focus of the AI COP. The AI COP is structured around 12 principles and stakeholders to which each principle primarily applies are identified. Requirements include AI security awareness training, system design and dataset considerations, incorporating threat- modelling into the risk management process, and evaluation and testing. The consultation on the AI COP closed on 9 August 2024 and the UK government’s response is anticipated – although no timeline has been set. 6.3 Cybersecurity in the Healthcare Sector Under the NIS Regulations, NHS trusts, founda - tion trusts, integrated care boards, and certain other healthcare providers are designated as OESs. Consequently, these healthcare providers are required to comply with the obligations of an OES as described in 2.2 Critical Infrastructure Cybersecurity Requirements . Medical devices in scope of the Medical Devices Regulations 2002 are expressly excluded from the PSTI Act. However, the UK government is expected to continue its overhaul of the UK’s medical devices legislative framework following the application of the Medicines and Medical Devices Act 2021 (the “MMD Act”). The MMD Act includes powers for the Secretary of State to introduce regulations in relation to the manu - facture of medical devices. In February 2024, the Department for Health and Social Care (DHSC) confirmed that it would be introducing a pack - age of legislative reform for UK medical devices. In December 2024, the Medicines & Healthcare products Regulatory Agency (MHRA) issued a

334 CHAMBERS.COM

Powered by