UK Cybersecurity Laws
UK cybersecurity laws are key to keeping internet users safe whilst supporting innovation and growth in what is quickly becoming a driving sector for our economy. Though there is existing legislation that aims to govern and regulate cybersecurity, recent high-profile cyber incidents (such as on SolarWinds and Microsoft Exchange Servers) have highlighted the importance of a proactive approach to adapting the law to match the current technological landscape.
The fast paced digitalisation of business and the economy have prompted the Government to bolster the regulatory framework, as set out in the National Cyber Strategy. Conscious of the delicate balance between maintaining security and supporting the growth of the tech sector, the Government is keen to develop new legal frameworks that reconcile both aims, whilst also maintaining critical flexibility to ‘react to the speed of technological change.’
This article offers a brief introduction to current and proposed UK Cybersecurity laws to give you a better understanding of the current legal landscape and how the government wants to future-proof these laws.
Computer Misuse Act 1990
The Computer Misuse Act 1990 aims to protect how personal data is used and stored by organisations. It was created to ‘deal with the issue of accessing or modifying data without permission.’ The Act criminalises accessing a computer without permission, as well as theft or modification of data, and the facilitation of related crimes.
Communications Act 2003
The Communications Act 2003 regulates the media and telecommunications sectors. It governs how people are able to use the internet and also has a section that relates directly to electronic communications such as over social media. Under Section 127, the improper use of public electronic communications networks can be punishable by a prison term of 6 months.
NIS regulations (Network and Information Systems Regulations) came into force in 2018. They are actually derived from the EU NIS Directive.
They aimed to improve the cybersecurity of companies involved with the provision of essential services such as water, transport, healthcare and digital infrastructure. In essence, they provide ‘legal measures to boost the level of security of network and information systems.’
These regulations created a duty for these essential service providers to perform a risk assessment and to implement reasonable security measures to protect their network. Additionally, it requires these service providers to report significant incidents and have thorough recovery roadmaps in place. Failure to comply with the NIS regulations carries a maximum fine of £17 million.
Earlier this year, the Government announced that it wants to further update the NIS regulations and widen their scope. This would mean that MSPs (Managed Service Providers) would now be covered by the NIS regulations, thus addressing some of the cybersecurity risks that exist within business supply chains that till now have been broadly overlooked.
How the Government will adapt the NIS regulations is still to be seen. A consultation looking specifically at proposed amendments closed in April of this year, and the next stage is set to be underway soon.
National Cyber Strategy
The National Cyber Security Strategy is the Government’s response to the need to strengthen the nation’s security and resilience in the face of cybersecurity threats, whilst still actively supporting the development of the tech industry. The Government has committed £22 billion to research and development towards placing technology at the heart of the UK’s national security.
Pillar 2 of this strategy is to build a resilient and prosperous digital UK where cyber risks are reduced in favour of business growth.
UK Cyber Security Council
In December 2019, the UK Cyber Security Council was established as part of the UK Government’s National Cyber Security Strategy 2016 – 21. The Council is an independent, self-regulatory body that is empowered to ‘develop, promote and steward nationally recognised standards for cybersecurity.’
The results of a recent consultation call for additional powers for the Council to help to raise the bar of security standards in the industry. They would do this by, for example, creating a standardised set of qualifications that would ensure that those in the cybersecurity profession are properly equipped to protect businesses online.
Product Security and Telecommunications Infrastructure Bill (Part 1)
The Product Security and Telecommunications Infrastructure Bill has recently completed its passage through Parliament and is likely to receive Royal Asset at (or before) the beginning of next year. The bill provides for the security of internet-connectable products (such as smart TVs, internet-connectable cameras and speakers etc) and other products that can connect to those products. This is in order to protect personal consumer data that might be collected by such devices. A good example of this might be Alexa or Cortana. Once the PSTI Act comes into force, it may impose significant legal duties on the UK manufacturers, importers or retailers of these kinds of devices.