Cyber security | UK Regulatory Outlook January 2023
Published on 27th Jan 2023
Call for evidence to Parliamentary ransomware inquiry ends | Proposed updates to NIS | EU regulation on digital operational resilience adopted by European Parliament
Call for evidence to Parliamentary ransomware inquiry ends
As mentioned in our previous Regulatory Outlook, on 31 October 2022, the Parliamentary Joint Committee on the National Security Strategy launched a call for evidence for its inquiry into ransomware. UK organisations were invited to submit evidence on topics including access to and the availability of insurance cover for paying ransoms and reforms that might enhance the UK's resilience to ransomware. The call for evidence has now closed (the deadline for written submissions having been extended to 23 December 2022).
The topics included in the call for evidence indicate that consideration is being given to regulation, or a total ban, on ransomware payments. This would have a significant impact on organisations affected by cyber attacks. It is not currently known when the Joint Committee will publish its report of recommendations following the call for evidence, nor the extent to which those recommendations will form the basis of government policy.
Please see our Insight for more information.
Proposed updates to NIS
Following a consultation in early 2022, the government announced on 30 November 2022 that the UK's Network and Information Systems (NIS) regulations will be strengthened to further protect essential services against digital threats, such as cyber attacks.
The NIS regulations aim to improve the cybersecurity of critical service providers. The changes will include bringing managed security providers into the scope of the NIS regulations, along with improved reporting obligations, giving government flexibility to adapt the NIS regulations in the future to ensure it remains effective and providing the Information Commissioners Office (ICO) with the ability to take a more risk-based approach to regulation.
In November 2022, the European Parliament and EU Member States adopted the directive on measures for a high common level of cybersecurity across the Union (the NIS2 directive), which aims to address perceived deficiencies and future-proof the existing NIS directive. As explained in our June 2022 issue, the changes will include expanding the sectoral scope (including energy, transport, banking and health), strengthening security requirements for companies, and requiring companies to address cybersecurity risks in supply chains and supplier relationships. Member States must now put appropriate measures to implement the directive in place by October 2024.
The potential for the UK NIS regulations to diverge from NIS2 will be of importance to organisations working in both the UK and the EU, as they will need to ensure compliance with both regimes, and the contrasting EU and UK approaches may give more general guidance about the direction of potential post-Brexit divergences in data and cybersecurity regulation.
ICO second consultation on draft data protection and journalism code ends
EU regulation on digital operational resilience adopted by European Parliament
The EU Regulation on digital operational resilience in the financial sector, known as the Digital Operational Resilience Act (DORA), was adopted by the European Parliament and the Council of the EU in November 2022.
The purpose of DORA is to enhance information communication technology (ICT) requirements for firms, helping to ensure they can effectively deal with ICT-related disruptions. DORA will be applicable 24 months after its entry into force, which is likely to be the end of 2024/early 2025 and will apply to a broad range of financial entities regulated in the European Economic Area.
Although affected firms will have two years to implement the requirements once DORA is in force, affected firms would be well-advised to start assessing their ICT systems sooner rather than later for DORA compliance, as the complexity and prevalence of legacy systems in the sector often makes putting compliant procedures and systems in place extremely time-consuming.
Please see our Insight for more information.
Product Security and Telecommunications Infrastructure Act 2022