Cyber security | UK Regulatory Outlook January 2025

NCSC Annual Review

The National Cyber Security Centre (NCSC) published its annual review of the key developments and highlights between 1 September 2023 and 31 August 2024. Among other things, key takeaways from the report include:

• In 2024, there was an increase in both the frequency and severity of cyber incidents. The agency dealt with 430 incidents that needed its assistance, up from 371 the previous year. The sectors with the highest reported ransomware activity to the NCSC included academia, manufacturing, IT, legal, charities and construction.

• Ransomware was identified as the most widespread and disruptive cyber threat to UK organisations. The report highlighted the significant impact of supply chain attacks on critical national infrastructure on a substantial proportion of the UK population.

• Collaborating with government and private organisations, including the ICO, as well as the legal and insurance sectors, to create joint guidance on "ransom discipline" with the goal of reducing the number of ransomware payments made by victims. The guidance has since been internationalised through the Counter Ransomware Initiative. 

• Nation-state threat actors and cyber criminals are increasingly leveraging artificial intelligence to amplify the volume and impact of cyber attacks. 

It is anticipated that the UK will focus on helping organisations improve their cyber capabilities to better defend against cyber attacks. In his first major speech as head of the NCSC, Richard Horne emphasised the need for organisations to collectively boost resilience against increasingly sophisticated cyber risks. 

Horne called on public and private organisations to "see cyber security as both an essential foundation for their operations and a driver for growth", and to encourage the technology market to take a "secure-by-design" approach. Upcoming legislation and regulation, such as the new Cyber Security and Resilience Bill, will also form an important part of strengthening the country's cyber defences. This bill aims to expand the reach of current cyber security regulations by incorporating additional services and supply chains.

EU Commission calls on 23 Member States to complete NIS2 transposition 

The implementation deadline for the revised NIS2 Directive, which brings new sectors and digital services into scope of the cyber security regulation, passed on 17 October 2024. 

The European Commission opened infringement procedures against the remaining 23 Member States who have yet to complete transposition of the NIS2 Directive into national laws. A letter of formal notice was sent to the remaining Member States which failed to meet the 17 October 2024 deadline. They have two months from receipt of the letter to respond and to complete their transition and notify their measures to the Commission.

Organisations should now assess if they are likely to fall within the scope of NIS2 and prepare in advance to meet the new obligations. 

Cyber Resilience Act enters into force

The Cyber Resilience Act (CRA) came into force on 10 December 2024. As previously reported, the CRA introduces strict cybersecurity requirements for products with digital elements, such as connected home devices. Potential fines for non-compliance with the CRA are up to €15m or 2.5% of the worldwide annual turnover.

The CRA has a 36-month transition period, meaning manufacturers will have to place products that comply with the new obligations on the EU market by 11 December 2027.

Track the Act on our Digital Regulatory Timeline.

ESAs issue statement on DORA implementation 

The European Supervisory Authorities (ESAs) issued a statement on the application of the Digital Operational Resilience Act (DORA). The ESAs called on financial entities and ICT third-party service providers to ensure they are ready to comply with the DORA and its associated technical standards and guidelines from its application date on 17 January 2025.

The ESAs also invite ICT third-party service providers that meet the criticality criteria published in May 2024 to assess their operational set-up against the DORA requirements. The first designation of critical ICT third-party service providers is expected to take place in the second half of 2025. 

Track the progress of the regulation on our Digital Regulatory Timeline.