Cyber security | UK Regulatory Outlook February 2025

UK government publishes AI cyber security code of practice  

The Department for Science, Innovation and Technology (DSIT) published a new and voluntary code of practice for artificial intelligence (AI) cyber security on 31 January, setting out how organisations developing and deploying AI apps and systems can better protect themselves against and manage the risks from a range of cyber threats (as reported in our previous Regulatory Outlook). 

The code, which is structured into 13 principles, will be used to create a global standard in the European Telecommunication Standards Institute. The implementation guide setting out how organisations across the supply chain for AI systems, particularly developers and system operators, can adopt and meet the relevant provisions in the code of practice. 

The government's response to the draft code has also been published. The code intends to set out clear actions for directors, company boards and senior leaders to manage effectively cyber risks across their organisation. The DSIT committed to publishing an updated version of the code in early 2025.  

The DSIT's codes of practice are gathered on this webpage. See the press release for further information and the government's response to the call for views on the draft code of practice.

Government consults on ransomware reporting and payments 

The UK government is proposing to introduce legislation to counter ransomware and to protect public services and critical national infrastructure (CNI) from ransomware attacks.

The government is consulting on three proposals to introduce:

• a targeted ban on ransomware payments for all public sector bodies and owners and operators of CNI that are regulated or have competent authorities;
• a ransomware payment prevention regime, which would require any individuals or organisations that are victims of ransomware, to engage with the authorities and report their intention to make a ransomware payment before paying; and
• a threshold-based mandatory requirement for all suspected victims of ransomware to report ransomware attacks within 72 hours, followed by a full report within 28 days.  

The consultation closes on 8 April 2025. 

The Joint Committee on the National Security Strategy conducted a year-long inquiry into ransomware in 2022, see our Insight and the government's response published last year for more details. 

FCA consultation on operational incident and third-party reporting  

The Financial Conduct Authority (FCA) published a consultation paper, CP24/28: Operational Incident and Third Party Reporting, in December that seeks feedback on proposals for firms to report on operational incidents such as cyber attacks and IT outages and on material third party arrangements. 

With the aim of reducing reporting complexities and burdens for firms, the proposals mirror the consultation put forward by the Bank of England and Prudential Regulation Authority. They are designed to align with international incident and third-party reporting frameworks such as the EU's Digital Operational Resilience Act (DORA). 

The consultation paper sets out proposals for:  

• a definition for when an event would be considered an "operational incident";
• a thresholds-based requirement for firms to submit standardised reports on incidents; and
• material third-party reporting rules. 

The consultation closes on 13 March 2025. 

To find out more about DORA, which came into force on 17 January 2025, see the webinar recording of our Future of Financial Services session on "Deciphering DORA".  

Cyber regulators issue new guidance to secure 'edge devices' 

The UK National Cyber Security Centre and partner agencies in Australia, Canada, New Zealand and the US have issued new guidance on minimum requirements for forensic visibility to help network defenders and manufacturers of "edge devices" more secure.  

Internet-connected edge devices act as entry points for data between local networks and the wider internet, such as smart appliances and Internet of Things devices, which are considered particularly vulnerable to exploitation by cyber criminals.  

The guidelines set out minimum logging and forensic data acquisition requirements that network defenders should consider when selecting new physical and virtual network devices to improve threat detection and incident response following a cyber incident.  

See the NCSC press release and the Products section for more details on the applicable requirements for device manufacturers.  

CBEST thematic analysis assesses cyber resilience in the financial sector 

The Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) published its latest annual analysis of its critical national infrastructure banking supervision and evaluation testing (CBEST) framework. The 2024 CBEST thematic analysis reviews the threat-led penetration testing assessment framework aimed at helping financial firms and financial market infrastructures such as payment systems). The CBEST aims to better prevent and mitigate cyber incidents that could cause operational disruption and impact the stability of the UK financial sector. 

Key findings in the analysis highlighted gaps in firms' foundational cyber defences, such as weak identity management and access controls that expose firms to credential theft and social engineering, and insufficient detection and response capabilities. 

Firms are advised to use the findings of the report to strengthen their cyber resilience capabilities. The regulators intend to consult in the second half of 2025 on expectations around the management of information and communication technology and cyber resilience risks. The consultation will look to further improve operational and cyber resilience in the sector. 

For more information on how to manage FCA and Information Commissioner’s Office investigations following a cyber security breach, see our Future of Financial Services Week "Into the (cyber) breach" webinar recording.

General Assembly adopts UN Convention against Cybercrime 

The United Nations Convention against Cybercrime was adopted by the General Assembly of the United Nations on 24 December 2024. The convention will be the first comprehensive, legally binding global treaty on cybercrime, which aims to strengthen international cooperation in preventing and investigating cybercrime. 

The General Assembly agreed on the final text for the convention in August 2024 2024 (see our previous Regulatory Outlook). It will open for signatures at a formal ceremony in 2025 and enter into force 90 days after being ratified by the 40th signatory. Interpol published a statement welcoming its adoption amid a "sharp escalation in the scale and complexity of cyber attacks". 

European Commission to focus on securing healthcare sector 

The European Commission has presented an EU action plan to strengthen the cybersecurity of hospital and healthcare providers. The action plan was announced in the Commission president Ursula von der Leyen's political guidelines as a priority within the first 100 days of her new mandate. 

The plan focuses on enhancing the preparedness of the sector by introducing guidance on implementing critical cybersecurity practices It looks to improve detection and identification of threats by developing an EU-wide early warning service, proposing a rapid response service for the sector, encouraging member states to request reporting of ransom payments by entities, and using the "Cyber Diplomacy Toolbox", a joint EU diplomatic response to deter threat actors from attacking European health systems. 

The EU plans to launch a public consultation on further recommendations by the end of the year, with specific actions to be rolled out in 2025 and 2026. 

To find out more about the latest issues surrounding cyber security, see our Insight.