Navigating the Future of Cybersecurity

Implications of the new UK and EU regulations

For UK businesses within scope, the upcoming Cyber Security and Resilience Bill signifies an increased focus on reporting, supply chain security, and digital resilience, and is anticipated to align with the Network and Information Security (NIS 2) framework established in the European Union (EU).

In the EU, the Digital Operational Resilience Act (DORA) introduced sector-specific resilience requirements for financial entities, ensuring consistent service provision even in the face of cyber threats.

These developments underline the importance for businesses to invest in robust cybersecurity frameworks and mitigate risks in an increasingly digital world.

Cybersecurity in the UK

In 2024 we saw numerous developments in cybersecurity and data protection legislation in the UK. The Government appeared to be invested in increasing the UK's resilience to cyber threats, safeguarding personal data, and addressing supply chain vulnerabilities.

An example of this is the Cyber Security and Resilience Bill (the Bill). The UK Government has confirmed that the Bill will be introduced to Parliament during the course of 2025. The Bill, which was introduced during the Kings Speech in July 2024, is anticipated to impose (i) stricter rules around technical security requirements; (ii) mandate breach reporting obligations for a broader scope of businesses; and (iii) update the existing Network and Information Systems (NIS 1) Regulations 2018. The proposals come at a time where there is said to be an increasing number of targeted threats on critical UK infrastructure. In the last 18 months, our hospitals, universities, supply chains, and government departments have been targeted in cyber-attacks.

RPC have published full details of the key legislative and regulatory changes that were introduced to the UK in 2024. For full details, please see here.

Cybersecurity in the EU

The European Union has introduced comprehensive regulatory frameworks aimed at strengthening cybersecurity and operational resilience across key sectors. The Digital Operational Resilience Act (DORA) and the Network and Information Systems 2 Directive (NIS 2) impose strict security and reporting requirements on businesses operating within the EU, with enforcement procedures designed to ensure compliance.

Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554

DORA requires in scope financial entities and third-party ICT providers operating in the EU to comply with comprehensive new technical requirements and standards to protect against cyber threats. This includes significant reporting requirements with deadlines as short as four hours. The requirements are backed by a robust enforcement regime and penalty framework. Organisations were required to ensure compliance with DORA by 17 January 2025. Article 35(9) of DORA establishes penalty payments for non-compliance. Therefore, businesses should prioritise full compliance with DORA to avoid substantial fines and reputational damage if faced with a cyber incident.

Network and Information Systems 2 Directive (EU) 2022/2555

Directive (EU) 2022/2555, widely known as NIS 2, is also aimed at increasing the cyber security and resilience of businesses in scope and has superseded its predecessor, NIS 1.

Member States were required to transpose NIS 2 by October 17, 2024. The Directive (i) expands the number of businesses in scope; (ii) includes mandatory reporting requirements for "significant incidents" with deadlines as short as 24 hours; (iii) introduces further technical security requirements; and (iv) includes consequences for non-compliance, including fines, requirements on businesses to suspend operations and personal liability for directors and management.

Notwithstanding the transposition deadline, a number of member states have still not transposed NIS2. We anticipate the transposition period continuing for at least the next 6 months. As of 28 November 2024, the European Commission has even initiated the infringement procedure by sending a letter of formal notice to 23 EU Member States who are yet to transpose NIS 2.

Implications on businesses

Since there are increased expectations for businesses to improve their cybersecurity measures, businesses should implement comprehensive cybersecurity frameworks, conduct regular risk assessments, and establish incident response plans that align with the reporting timelines. There are a range of measures businesses can take to achieve this, including conducting regular tabletop exercises to ensure they are prepared to respond to a cyber threat. Contracts with third-party ICT service providers should also be reviewed to align with the requirements of DORA.

Final thoughts

Ultimately, the Government's focus on increasing resilience to cyber threats across the UK and EU emphasises the need for businesses to improve their cyber resilience measures, such as by developing a robust incident response plan.

With stricter requirements in place, businesses must ensure compliance with reporting obligations and strengthen their supply chain security. As regulatory enforcement intensifies, businesses that prioritise cybersecurity will not only mitigate financial and reputational risks but also gain a competitive advantage in an increasingly digital world. Staying ahead of these developments is no longer optional, it is essential for operational stability.