Cyber security, the UK and the EU Cyber Resilience Act – what does it mean?

31st October 2023

According to the National Cyber Security Centre, “cyber security is how individuals and organisations reduce the risk of cyber attack.”

What is happening in the EU?

By way of brief background, the EU first implemented some key cybersecurity legislation through the Network and Infrastructure Systems Directive (“NIS 1”) which came into force in 2018. Since the UK was still part of Europe, this directive applied to the UK. This was the first piece of significant cyber security legislation and imposed basic minimum requirements on certain bodies.

The Network and Infrastructure Systems Directive 2 (“NIS 2”) was published in December 2022 and compliance with this directive is required by all member states by 17 October 2024, replacing the NIS 1. The NIS 2 seeks to ensure that all member states have a high level of cybersecurity risk management and provides more stringent requirements than the NIS 1.

For example, the NIS 2 has provisions for reporting obligations across key sectors such as energy, transport and health, along with digital infrastructure. The intention is that once reported, the impact the attacks can have will be limited in scope and effect.

Finally, the EU first proposed a regulation on cyber security requirements, known as the ‘Cyber Resilience Act’ in 2019 with proposals to further update it this year. The final proposed legislation is yet to be released. However, the aim of the legislation is clear: to  establish a transparent legal framework to address any gaps in existing cyber security legislation and fundamental “mandatory requirements for the security of products with digital elements”. As a result, this legislation will apply to all products with digital elements, unlike existing legislation that only applies to certain products.

Whether the UK adopts the ‘Cyber Resilience Act’ or implements its own cyber resilience regime remains to be seen.

What about the UK – do we have cyber security legislation?

The short answer is no, the UK does not currently have a single cyber security law.

However, we have a cluster of existing legislation which provides some level of protection to the UK’s digital networks with regards to cyber security.

  • Currently, the main source of domestic legislation which addresses issues of cyber security is the Computer Misuse Act 1990
  • In addition to this, British businesses are still bound by the UK GDPR which imposes security obligations around personal data, with key consideration given to the organisation and technical measures that organisations must implement to protect individual data
  • The Security of Network and Information Systems Regulations 2018 (“NIS”) – transpose the Network and Information Systems Directive (EU) into UK law which contains obligations on IT security:
    • The issue with the NIS is that it is limited in scope and only applies to those operators and services which, if disrupted, have potential to cause significant damage to the UK’s economy, society and individual welfare. As a result, NIS does not cover organisations which fall outside this bracket, making it deficient in providing a blanket of protection
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
    • Further to this, the UK implemented the E-Privacy Directive 2002 into UK law
    • This covers technical and organisational measures to safeguard the security of services.

While we await to see a strong legislative response to the EU proposals and rapidly developing cyber security sphere, the recent update on the National Cyber Resilience Strategy provides some comfort that action will be taken to protect the UK’s cyber infrastructure on all levels.

The Product Security and Telecommunications Infrastructure Act 2022 has been granted royal assent. This contains provisions which address consumer connectable – i.e., to the internet or a network – products to be more secure against cyber attacks. For example, it requires minimum security requirements are met. Due to come into effect from 29 April 2024, it is important to ensure that your business is compliant with these minimum security requirements, especially if you are manufacturing or selling connectable consumables.

Secondly, the UK is looking to strengthen the existing cyber security legislation through the Security of Network and Information Systems Regulations, “as soon as parliamentary time allows.” Once released, it is likely that this legislation will significantly impact how connectable devices are regulated and it will be crucial to ensure your business and contractual processes are compliant with any new requirements or protocols imposed by future legislation.

To conclude, if you are operating in the industry of connectable consumables, there is some key legislation coming into effect in 2024 that you will need to ensure your business and supply chain are compliant with. If you are operating outside this, that is not to say future legislation won’t impact your business. We will keep you informed as and when new legislation is published.