On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.Continue Reading Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers
The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well. Continue Reading UK expands scope of NIS Regulations
The National Cyber Security Centre (“NCSC“) has published guidance for medium and large organisations on how to assess and improve cyber security in their supply chains. The guidance is a supplement to the NCSC’s supply chain principles. Continue Reading NCSC releases guidance on cyber security in the supply chain
Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation (see consultation here).
A recap of the current UK cybersecurity law: NIS Regulations
One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.
Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.Continue Reading Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform
The European Union Agency for Network and Information Security (ENISA) has published a paper on the security challenges that arise from the convergence of Internet of Things (IoT) and Cloud computing. The paper is directed at IoT developers, IoT integrators and Cloud service providers, and concludes with a number of suggested steps to achieve secure solutions.
ENISA defines IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”. This would include, for example, smart homes, Fitbits and Apple Watches. ENISA divides the IoT ecosystem into three components, (i) devices, (ii) communications and (iii) Cloud platform, backend and services.
The growth of IoT in recent years has put pressure on Cloud computing to evolve in order to accommodate IoT’s needs, including aggregating, storing and processing the data that it generates. This resulted in a new model, the “IoT Cloud”.
The emergence of the IoT Cloud poses potential security risks, and ENISA is primarily concerned about the fact that IoT devices provide access to Cloud systems, and therefore any attack on an IoT device can potentially lead to a more widespread attack.Continue Reading Security challenges arising out of the convergence of Internet of Things and Cloud computing
The Information Commissioner, Ms Elizabeth Denham, has published her comments on the European Commission’s consultation on the draft implementing regulation (“Implementing Regulation”) of the Network and Information Security Directive ((EU) 2016/1148) (“NIS Directive”).
The Implementing Regulation sets out the further elements that need to be taken into account by digital service providers (“DSPs”) under the NIS Directive for managing the risks posed to the security of their network and IT systems from cybersecurity threats, and sets out further parameters to determine whether an incident has a ‘substantial impact’ on their service.
While the Information Commissioner recognises the need to increase security of essential services, she cautioned against the ‘setting [of] overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.
The Information Commissioner published her comments on the basis that it is proposed that the ICO will be the competent national authority in the United Kingdom for the regulation of DSPs under the NIS Directive. DSPs are:
- Cloud service providers
- Online market places
- Search engines
The NIS Directive details some of the factors which must be considered when assessing whether a breach has had a ‘substantial impact’. The Implementing Regulation expands on these factors and also provides specific parameters for when a notification will be required (e.g., if the incident caused material damage to a user which exceeds €1 million, or if the incident affected the provision of the services in two or more Member States).
Under the NIS Directive, a DSP will have to notify its competent national authority if it suffers an incident which has a ‘substantial impact’ on the service provided by a DSP.
Continue Reading ICO publishes response to consultation on European Commission’s implementing regulation to the NIS Directive
On 1 March 2017, the UK government published its Digital Strategy (“Strategy”) for a “world-leading digital economy that works for everyone.”. The Strategy contains a number of statements that bring some certainty to the direction of regulation in the UK following its withdrawal from the European Union.
Unlocking the data economy
The Strategy notes the opportunities presented through the use of data analytics, artificial intelligence and the internet of things. Noting a recent Information Commissioner’s Office study, which found that only one in four UK adults trust businesses with personal data, a key aspect of the Strategy is to improve public trust and confidence in the use of data, enabling the UK to house a ‘world-leading’ data economy. To this end, the Strategy confirms that the UK will implement the General Data Protection Regulation by May 2018 (“GDPR”), ensuring a “shared and higher standard of protection for consumers and their data cross Europe and beyond.” Businesses will also be encouraged to adopt ethical frameworks for the use of data.
Continue Reading UK government publishes digital strategy to create and support a secure and thriving data economy
The FDA represents the latest federal agency to show a focus on cybersecurity issues with the release December 28 of new guidance. While the prospect of network-enabled medical devices increasingly offers the promise of improved care and patient treatment, evolving technology and new-found connectivity present emerging security considerations as well.
The Food and Drug…
In its speech at the FT Cyber Security Summit, the FCA has outlined its approach to cybersecurity in financial services firms. In addition to this, the Group of 7 (“G7”) has issued an 8-point framework for the financial sector as a push for financial firms to design a cybersecurity strategy.
We explore each piece of guidance below.
Continue Reading FCA and G7 issue cybersecurity guidelines for the financial sector
TheCityUK and Marsh have jointly published a report urging UK financial and related professional services sectors to step up their efforts to address cyber risk. The report (headed “Cyber and the City”) suggests that cybersecurity is still not being given the priority it deserves, particularly given the substantial disruption, costs and reputational damage that can…