Cyber Security | UK Regulatory Outlook January 2024

Consultation on proposed regulation to improve security of UK data infrastructure

On 14 December 2023, the Department for Science, Innovation and Technology launched a consultation seeking views on a proposed regulation to improve the security and resilience of UK data infrastructure.

The proposals, which focus on third-party data centre services, seek to address cybersecurity threats, risks to the resilience of data centre services, and the perceived lack of information-sharing and cooperation across the data infrastructure industry through the creation of a new statutory framework.

The proposed measures include:

• introduction of a new regulatory function to implement and enforce the proposed framework;
• mandatory registration of relevant data centre providers with the designated regulator;
• introduction of a duty to comply with baseline security and resilience measures;
• introduction of a standards and assessment framework to enable the regulator to assess compliance with security and resilience measures; and
• incident reporting requirements to the regulator, customers and other affected parties.

The consultation follows government proposals to expand the existing Security of Network and Information Systems Regulations (NIS regulations) to include additional sub-sectors and will be of particular interest to data centre operators, cloud platform providers, managed service providers, as well as customers and suppliers of the above. You can respond to the consultation here. The consultation closes on 22 February 2024.

EU Parliament Committee adopts draft report of Cyber Solidarity Act  

On 7 December 2023, the European Parliament's Committee on Industry, Research and Energy adopted the draft report of the Cyber Solidarity Act, which proposes to build a collective and more resilient EU response against cybersecurity threats. A decision to start negotiations with the EU Council was submitted during the 11-14 December plenary session. 

Member States have until 17 October 2024 to adopt legislation to comply with the NIS 2 Directive, which repeals and replaces the NIS Directive, the first European cybersecurity legislation aimed at establishing a high level of security of organisations and harmonising cybersecurity requirements. For further information on NIS2 compliance see our Insight.

Further EU regulations on cybersecurity are expected to be finalised in 2024, following  the European Council and Parliament's provisional agreement on the proposed Cyber Resilience Act, which will introduce EU-wide cybersecurity requirements for the design, development and distribution of Internet of Things (IoT) products. The regulation is expected to enter into force in early 2024, upon which manufacturers will have 36 months to apply the rules. For further information see our Insight.

In the UK, the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 will come into effect on 29 April 2024. It introduces the consumer connectable regime which specifies minimum requirements for manufacturers to enhance the security of IoT products that are made available to consumers in the UK. 

NCSC guidance on Star Blizzard

On 7 December 2023, the National Cyber Security Centre (NCSC) released a report warning about the threat of spear-phishing attacks against targeted organisations and individuals in the UK by the Russia-based group Star Blizzard.

The NCSC has also updated its guidance for individuals at higher risk of being targeted by threat actors to improve their resilience against cyber threats. Read the press release.

It is anticipated that 2024 will see greater collaboration between the Information Commissioner's Office (ICO) and the NCSC on activities towards improving the UK's cyber resilience, as they signed a joint Memorandum of Understanding in September 2023. The memorandum sets out cooperation between the two organisations on the development of cyber standards and guidance, information-sharing procedures between the two organisations, and cross-government coordination in response to incidents.

Joint Committee report on ransomware and UK national security

On 13 December 2023, the House of Commons Joint Committee on National Security Strategy published a report on the scale and nature of ransomware threats against the UK. It notes key ransomware trends including:

• the growth of ransomware-as-a-service (RaaS) – which has increased the agility and speed of ransomware operations;
• innovations in marketing, recruitment, and communication of RaaS groups;
• a shift towards "big game hunting" – with threat actors targeting higher-value organisations with the aim of achieving larger ransom payments; and
• an increase in the use of double or triple extortion methods by threat groups – including exfiltration (removal) rather than encryption of data, threatening customers/suppliers with the release of sensitive data, and a premium subscription in exchange for exclusive rights over the stolen data.

The report concludes by making several recommendations including:

• transferring responsibility for tackling ransomware from the Home Office to the Cabinet Office, in partnership with the NCSC and the National Crime Agency (NCA);
• bringing forward legislation to reform the Computer Misuse Act 1990 to criminalise the theft and copying of data and introduce extra-territorial provisions for cybercrime; and
• investing more resources into the government and the NCA's approach to disrupting ransomware operators.

CISA and ENISA sign working arrangement to enhance cooperation

On 7 December 2023, the European Union Agency for Cybersecurity (ENISA) announced that it had signed a working arrangement with the US Cybersecurity and Infrastructure Security Agency (CISA), with the aim of facilitating short-term cooperation actions and longer-term cooperation in cybersecurity policies and implementation approaches.

We anticipate the UK to continue to coordinate closely with international allies on cybersecurity measures in the coming year. For example, in November 2023, the National Cyber Security Centre (NCSC) and the National Intelligence Service of the Republic of Korea released a joint advisory about the rising risk of Democratic People's Republic of Korea (DPRK) state-linked cyber actors targeting software supply chain products. Members of the international Counter Ransomware Initiative, which includes the EU, US and the UK, also released a joint statement to publicly denounce ransomware and discourage ransom payments being made to cyber criminals.