Cyber Security | UK Regulatory Outlook November 2024

ENISA draft technical guidance on NIS2 cyber security risk management measures

As previously reported, on 17 October 2024, the European Commission adopted the implementing regulation setting out the technical and methodological requirements of the cybersecurity risk management measures referred to in the Network and Information Systems Directive (NIS2).

The European Union Agency for Cybersecurity (ENISA) has published draft technical guidance for the NIS2 implementing act, setting out, among other things, additional advice to Member States and in-scope entities on considerations to take into account when implementing a requirement and further explanations of the concepts and terminology used in the act.

ENISA is seeking feedback on the draft guidance. The deadline for responses is 9 December 2024.

For more detail about what steps businesses can take to ensure compliance with NIS2, see our Insight and track the directive on our Digital Regulatory Timeline.

DSIT call for evidence on Cyber Security and Resilience Bill

The Department for Science, Innovation and Technology (DSIT) launched a call for views on its proposals to update the Network and Information Systems (NIS) Regulations 2018, through the Cyber Security and Resilience Bill.

The call for evidence will help DSIT assess the impact of the proposed changes on entities already regulated under the NIS Regulations as well as those who are anticipated to be in scope of the new bill.

The consultation closed on 21 November 2024.

Five Eyes security advice campaign for tech startups

The Five Eyes intelligence partnership published joint security guidance as part of its "Secure Innovation" campaign, aimed at helping emerging technology companies in all  countries to protect from a range of threats.

Regional versions of the guidance are also available to companies in all five countries, which reflect the increased commitment from all five countries to working collaboratively to protect against security threats posed by nation-state actors.

Read the press release.

National Cyber Security Centre updates

• The UK and international allies published a new advisory detailing the top 15 most commonly exploited vulnerabilities from 2023.
• The National Cyber Security Centre (NCSC) released a list of NCSC-assured providers who are able to conduct independent Cyber Assessment Framework based audits.
• UK organisations are advised to take action to mitigate a vulnerability affecting Fortinet FortiManager (CVE-2024-47575).
• The NCSC updated its multi-factor authentication guidance, which recommends that organisations should use to secure their data against phishing attacks.

EU Cyber Resilience Act published in Official Journal

Please see Products.