The Network and Information Systems Regulations 2018
While Member States in the EU work to implement local laws in order to give effect to EU Directive 2022/2555 (“NIS 2”), which is set to replace the EU’s NIS Directive, UK progress on updating the Network and Information Systems Regulations 2018 (“NIS Regulations”) has been relatively silent. On 30 November 2022, the UK Government confirmed that the ongoing public consultation on proposals for legislation to improve the UK’s cyber resilience regime will lead to changes being made to the UK’s cybersecurity regulations, including the introduction of requirements to managed service providers. However, that was based on a consultation in 2020 and it remains to be seen whether the next Government will proceed with these plans.
The Computer Misuse Act 1990
Similarly, the 6 April 2023 saw the end of a UK Government consultation paper to amend and update the Computer Misuse Act 1990 as part of the UK Government’s attempts to modernise and reform UK cybersecurity legislation, but the response paper has not yet been published.
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
The new UK consumer connectable product rules in the Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 came into force on 29 April 2024. Manufacturers, distributors and importers of connected products that are in scope will need to keep in mind these requirements when making their products available on the market.
In summary, whilst national security and cybersecurity are very much in focus in the UK, there are currently no plans for significant changes to the underlying legislation at this time.
The Network and Information Systems Regulations 2018
Although it is unclear when the NIS Regulations will be updated, it remains a central piece of legislation for cybersecurity in the UK and is increasingly the focus of the regulator the ICO.
The Computer Misuse Act 1990
While the Computer Misuse Act does not impose security obligations on businesses, organisation should still be aware of three new powers proposed to be given to law enforcement agencies under the Computer Misuse Act 1990:
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Manufacturers, distributors and importers, of UK consumer connectable products are now legally required to comply with minimum security requirements, including minimum password requirements, minimum security update periods, the provision of statements of compliance and providing security contact points.
It is important for organisations that do business in the UK to continue to monitor developments so that they are prepared for any new compliance and reporting measures that they may need to introduce into their business processes. In particular, companies should be looking to make sure that they:
Written by James Moss, Anthony Rosen, Matthew Buckwell and Rory Coutts
*Information is accurate up to 1 July 2024