Cyber Security | UK Regulatory Outlook October 2024

Cyber Security and Resilience Bill to be introduced in 2025

As announced in the King's Speech, the government will bring forward the Cyber Security and Resilience Bill in 2025, in the first session of the new Parliament.

As previously reported, the bill was first announced in the King's Speech in July 2024, and aims to strengthen the cyber defences of the country's critical infrastructure and digital services. 

The Department for Science, Innovation and Technology (DSIT) revealed that it has received a number of enquiries from individuals and organisations wishing to discuss the bill. The government therefore plans to engage with stakeholders to gather input and issue further communications on this in due course.

Read more about the progress of other measures affecting business announced by the government in the King's Speech in our Insight.

Cyber Essentials supply chain commitment

On 23 October 2024, DSIT and the National Cyber Security Centre (NCSC) published a joint statement with a group of six UK banks, encouraging organisations within critical national supply chains to take steps to manage their supply chain cyber security risk.

The statement sets out the importance of good cyber security in the supply chain, and encourages businesses to manage their supply chain cyber security risk more effectively through adoption of the Cyber Essentials certification scheme as a supply chain assurance tool.

For more information, see the Cyber Essentials website.

NIS2 Directive

On 17 October 2024, the European Commission adopted the implementing regulation setting out the technical and methodological requirements of the cybersecurity risk management measures referred to in the Network and Information Systems Directive (NIS2). The rules apply to certain categories of companies providing digital services, including cloud service providers, online search engines and social networking platforms.

The implementing regulation is expected to be published in the Official Journal shortly, whereupon it will enter into force 20 days later.

The deadline for Member States to transpose the various provisions of NIS2 into national legislation was also 17 October. So far, only Belgium and Italy have notified the Commission of full transposition while Croatia, Latvia and Lithuania have partially transposed the directive into national laws.

The Commission urges the remaining Member States to "implement these rules at national level as fast as possible to ensure that the services which are critical for our societies and economies are cyber secure".

For more detail about what steps businesses can take to ensure compliance, see our Insight and track the directive on our Digital Regulatory Timeline.

Cyber Resilience Act formally adopted by EU Council

Please see Products section.

Counter Ransomware Initiative Summit

During the fourth Counter Ransomware Initiative (CRI) Summit in October 2024, the UK and 38 other countries issued new guidance alongside insurance bodies, with the aim of supporting organisations during ransomware incidents.

As a general approach, the CRI strongly discourages organisations from paying ransom. Instead, companies are encouraged to prepare ahead, as part of their business continuity plan, and to develop policies, procedures, frameworks and communication plans to minimise the overall impact of a ransomware incident.

Read the CRI joint statement and press release.

G7 Cyber Expert Group guidance for financial sector on planning for quantum computing

The G7 Cyber Expert Group, a working group that coordinates cyber security policy and strategy across the G7 jurisdictions, published a statement highlighting the potential cyber security risks associated with developments in quantum computing.

The guidance contains recommended steps for financial authorities and institutions to take to develop a better understanding of the issue, as well as strategies for protecting sensitive financial data, including customer information.

Read the HM Treasury press release.

UK and US cyber agencies warn of Russian foreign intelligence global cyber campaign

The NCSC and partner agencies in the US published an advisory sharing the latest tactics being used by Russia's Foreign Intelligence Service (SVR) as part of a continued cyber campaign targeting organisations including technology companies and financial institutions around the world.

Organisations are encouraged to deploy patches and prioritise software updates to prevent systems from being accessed by SVR cyber actors.

Read the full advisory.

UK and US issue alert over Iranian state-backed phishing attacks

The UK and the US issued a joint advisory warning about the ongoing threat to various sectors worldwide from attackers working on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC).

IRGC has been observed using social engineering techniques to gain access to the personal and business accounts of individuals involved in Iranian and Middle Eastern affairs.

Read the joint cybersecurity advisory.

NCSC and allies issue advice over China-linked campaign targeting internet-connected devices

The NCSC and its international partners in the US, Australia, Canada and New Zealand issued an advisory warning of a botnet (a network of internet-connected devices that are infected with malware) operated by a China-linked company being used to conduct cyber attacks.

The compromised devices affect Internet of Things devices including routers, webcams and CCTV cameras. Individuals and organisations are advised to follow the mitigation advice to protect themselves against malicious activity.

Read the full advisory.