UK Trends and Developments Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
and data analysis. This risk is, however, already evident; in May 2024, a deepfake scam resulted in an employee transferring USD25 million to a malicious actor. The NCSC has warned that the commercialisa - tion of cyber-intrusion tools has made it easier for malicious actors to access and attack sys - tems, and harder to trace them. The NCSC is also cognisant of the impact quantum comput - ing will have on existing cryptography methods and technology in the longer term and urged action to prepare for the emerging cyber-risks. In 2025, the NCSC is expected to focus on key actions to enhance the UK’s cyber-resilience, including: • promoting basic cybersecurity practices among UK businesses, including a focus on the adoption of the NCSC’s Cyber Essen - tials certification and the Cyber Assessment Framework; • the publication of more practical guidance from the NCSC and the National Protective Security Authority; • continued international co-operation and action against malicious cyber actors from hostile states; and • initiatives to grow a cyberskilled workforce that is cyberliterate and can contribute to cybersecurity technological innovation. UK cyber-regulation landscape The UK’s cybersecurity landscape underwent significant changes in 2024 and more reforms are expected in 2025. The Product Security and Telecommunications Infrastructure (PSTI) Act and its accompanying regulations came into force on 29 April 2024. They require organisations that manufacture
“relevant connectable products” to meet certain cybersecurity standards such as minimum pass - word requirements, reporting security issues, and minimum periods for which products will receive security updates. The Labour government, which came to power following the UK’s General Election in May 2024, has demonstrated its commitment to cyberse - curity reform and progressing the UK’s National Cyber Strategy. The King’s Speech in July 2024 announced the introduction of two new bills into Parliament – namely, the Cyber Security and Resilience (CSR) Bill and the Data (Use and Access) (DUA) Bill. The CSR Bill will revise the Network and Infor - mation Systems Regulations 2018 (the “NIS Regulations”), which is the only existing sector- wide cybersecurity legislation in the UK. The UK government has been under pressure to update the NIS Regulations – which was implemented pre-Brexit – to align more closely with recent EU legislative developments in this space and, in particular, to expand the scope of the NIS Regu - lations to include more digital services and sup - ply chains, increase mandatory incident report - ing obligations, and provide enhanced powers to regulators. According to the UK Department for Science, Innovation and Technology (DSIT), the CSR Bill will be introduced into Parliament in 2025. The DUA Bill will amend the existing UK data protection laws. However, owing to the over - lap between data protection and cybersecurity, businesses should be aware of the DUA Bill when considering their overall cyber-resilience programme. The DUA has been teased as the potential vehicle for further amendments to the Computer Misuse Act (CMA). Proposed amend - ments to the CMA were debated in the House
339 CHAMBERS.COM
Powered by FlippingBook