Data & Cyber Security

Subscribe to Data & Cyber Security

The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive.  NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here.  The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

Continue Reading NIS2 toughens up EU’s cyber security obligations

The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well. 

Continue Reading UK expands scope of NIS Regulations

At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.

Continue Reading A sigh of relief? EU-US data transfers

On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022.  From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.

Continue Reading UK Government grants South Korea a data adequacy status

A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.

Continue Reading ICO expects large organisations to make financial investments to maintain their security standards

With increased digitization of business processes and services affecting all industries and enterprises, the need for accessible digital tools continues to grow. Indeed, 26% of adults living in the United States have some type of disability, highlighting the crucial role accessibility tools serve in ensuring an inclusive digital environment.  Furthermore, in certain instances, the implementation of accessibility best practices may be legally required. We discuss these issues in our most recent Tech Law Talks podcast.

Continue Reading Digital Accessibility: Legal & Practical Issues to Consider

On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.

Continue Reading Government releases proposals to reform UK data protection laws

Introduction and Overview

The year 2022 is one of major changes to consumer protection laws in Germany and the EU, namely:

  • Changes in connection with digital products and corresponding new provisions for the sale of consumer goods took effect on 1 January 2022 (see our earlier Reed Smith Client Alert Part I).
  • New consumer protection rules regarding automatic renewal and notice periods took effect in March 2022.
  • Requirements regarding termination buttons will come into force on 1 July 2022 (see our earlier Reed Smith Client Alert Part II).


Continue Reading New rules to strengthen and better enforce consumer rights in Germany and the EU

Four years ago, the General Data Protection Regulation (“GDPR”) came into force in the EU. Since then, the GDPR has had a domino effect, as many countries in the world have used it as a model to shape their own rules on the handling of personal data. Given the rapid changes in data protection legislation around the world, legal and compliance teams of multinational organisations are under pressure to keep up with such developments as they continuously adapt their compliance programs in response.

Continue Reading The fourth anniversary of the GDPR: How the GDPR has had a domino effect

On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.

Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security