Cyber security | UK Regulatory Outlook July 2024

King's Speech - new Cyber Security and Resilience Bill

On 17 July 2024, King Charles III outlined the new government's plans for the Parliamentary session in the King's Speech at the state opening of Parliament. Among other things, the government proposes to introduce a new Cyber Security and Resilience Bill that aims to strengthen the cyber defences of the country's critical infrastructure and digital services.

The bill will update the existing regulatory framework by:

• expanding the scope of the Network and Information Systems (NIS) Regulations 2018 to cover more digital services as well as their supply chains;
• providing regulators with greater powers and resources to ensure implementation of essential cyber safety measures and to investigate potential vulnerabilities; and
• mandatory reporting of ransomware attacks and expanding the type and nature of incidents that regulated entities must report.

The previous government had committed to amending the NIS Regulations following a public consultation in 2022. It remains to be seen how similar the new measures will be to the former government's plans, which proposed to extend the scope of digital services to include "managed services", examples of which would include workplace services, IT outsourcing services and technical advisory services.

King's Speech – new Digital Information and Smart Data Bill

Please see Data section.

NCSC advisory about techniques used by China state-sponsored threat actors

On 9 July 2024, the National Cyber Security Centre (NCSC) issued an advisory alongside partners in Australia, the US, Canada, New Zealand, Germany, the Republic of Korea and Japan, outlining the techniques used by the China state-sponsored APT40 threat group.

The advisory includes two technical case studies illustrating how preferred techniques used by APT40 to launch attacks, with the aim of helping organisations to detect and mitigate any malicious activity. The publication of the advisory follows a speech made by Anne Keast-Butler, the Director of the GCHQ, in May this year, warning about the "genuine and increasing cyber risk" China posed to the UK.

Read the full advisory.

European Commission consultation on draft implementing act under NIS 2 Directive

The European Commission has launched a consultation on its draft implementing regulation under the EU's Network and Information Systems Directive (NIS 2), setting out the technical and methodological requirements of the risk management measures, and the criteria for when an incident will be considered significant.

NIS 2 aims to enhance the level of cybersecurity risk management measures and reporting across the EU. Relevant entities covered by the draft regulation include cloud computing service providers, managed service providers, online marketplaces, online search engines and social networking platforms.

The consultation closes on 25 July 2024, with the final regulation expected to apply to relevant entities from 18 October 2024. Follow the directive on our Digital Regulatory Timeline or see more in our Insight.

Commission publishes delegated regulations for Regulatory Technical Standards under DORA

The European Commission has published three delegated regulations supplementing the Regulation on digital operational resilience for the financial sector (DORA) in the Official Journal of the European Union:

• Commission Delegated Regulation (EU) 2024/1772, which sets out regulatory technical standards (RTS) specifying the criteria for the classification of ICT-related incidents and cyber threats, materiality thresholds and the details of reports of major incidents.
• Commission Delegated Regulation (EU) 2024/1773, which sets out RTS specifying the content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
• Commission Delegated Regulation (EU) 2024/1774, which sets out RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework.

The delegated regulations entered into force on 15 July 2024. Connect with one our experts to discuss the key issues in achieving compliance with the new requirements under DORA.            

EU AI Act published in Official Journal

On 12 July 2024, the EU AI Act 2024 was published in the Official Journal of the European Union. It will come into force 20 days after publication on 1 August 2024. The new cross-sector regulation on artificial intelligence (AI) sets out obligations for those designing, developing and deploying AI systems.

Article 15 introduces requirements for high-risk AI systems (AI that is a component in, or is itself, a product subject to EU product safety regulations), which must be designed and developed in a way that ensures an appropriate level of accuracy, robustness and cybersecurity.

As such, businesses should plan and prepare for the implementation of technical solutions to detect, prevent and mitigate cyber attacks by unauthorised third parties on high-risk systems. The AI specific vulnerabilities which technical solutions must address are:

• data or model poisoning (attempted manipulation of training data or pre-trained components used in training);
• model evasion (inputs designed to cause the AI model to make mistakes);
• confidentiality attacks; and
• model flaws.

See our Insight explaining the Act's phased deadlines for compliance.