UK Trends and Developments Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
of Lords and subsequently rejected in Decem - ber 2024 and again in January 2025. The pro - posed amendments were intended to support cybersecurity professionals that work against cybercrime, included an update to the definition of unauthorised access, and would have pro - vided for a new defence against offences under the CMA where a person is acting to prevent or detect a crime or is otherwise acting in the public interest. The DUA Bill will continue to pro - gress through the legislative process in 2025, most likely without CMA reform. Nevertheless, in October 2024, the UK’s Security Minister stated that the Labour government remains committed to tackling cybercriminals ad suggested that a review of the CMA is forthcoming. In 2024, the DSIT consulted on three draft cyber - security codes of practice: • the AI Cyber Security Code of Practice (the “AI COP”); • the Code of Practice for Software Vendors (the “Software Vendors COP”); and • the Cyber Governance Code of Practice (the “Governance COP”). The AI COP aims to develop a global technical standard for the security of AI systems, based on the principle of “Safety, Security and Robust - ness” from the UK government’s 2023 White Paper, “A pro-innovation approach to AI regula - tion”. The Software Vendors COP sets out four key principles for security measures that busi - nesses that develop and/or sell software in a B2B context should follow, which are: • secure design and development; • build environment security; • secure deployment and maintenance; and • communication with customers.
The Governance COP outlines five key principles and related actions for good cybergovernance, which relate to risk management, cyberstrat - egy, people, incident planning and response, and assurance and oversight. The consultations closed in 2024 but the responses have not yet been published. Businesses should keep an eye out for them in 2025. Finally, in September 2024, the UK govern - ment designated data centres as CNI – mean - ing that, alongside energy supply, water supply and transportation, data centres located in the UK are considered “essential for the function - ing of society”. As a result, UK data centres can access more support and guidance from the government and the NCSC in the event of outag - es, cyber-attacks, and adverse weather events. Supply chain cybersecurity resilience and risk management Supply chain cybersecurity risk management was a key theme during the course of 2024, par - ticularly in the financial services sector, and this trend is likely to continue in 2025. As businesses become more interconnected, they also become more vulnerable to cyber-attacks through their suppliers, even if they have strong cybersecurity practices themselves. As mentioned in “UK cyber-regulation land - scape”, the CSR Bill is expected to expand the scope of the NIS Regulations to (inter alia) introduce new obligations with regard to supply chain management and cyber-resilience – ie, in line with the approach taken in the EU under NIS2 where in-scope entities are required to implement supply chain security policies, supply chain due diligence and minimum supply chain security standards, among other measures. The CSR Bill will likely be scrutinised against NIS2 once published.
340 CHAMBERS.COM
Powered by FlippingBook