They feel no pain. They cannot be reasoned with. They will never, ever stop.
With a new year comes the promise of new regulation. Here are some to keep an eye on:
1) EU Cyber Security act.
It’s not quite been agreed yet, but it is close. The EU Cybersecurity Act introduces an EU-wide cybersecurity certification framework for ICT products, services, and processes. Companies doing business in the EU will have to certify their ICT products, processes, and services.
We’ll write more as things are finalised and the fog begins to clear.
2) EU Digital Operational Resilience Act (DORA).
You may have heard of this, but we’re expecting a lot more guidance in 2024 ahead of the 2025 enforcement. And there are also rumours of a UK equivalent in the works…
Requirements include:
- IT risk management
- IT-related incident reporting
- Digital operational resilience testing
- IT third-party risk
3) Changes to the UK data protection regime.
Just as you think it’s safe to process data again, they’re changing the rules. Again. A change to UK data protection regulation has passed through the Commons and is with the Lords (see bill here). This proposes some fairly substantive changes too. Nothing to do now, but we’ll review and evaluate and feed back in the next few weeks to help you understand what you need to focus on in 2024.
The changes aim to make data transfers easier, make cookie consent less onerous, remove the need for a register of processing activities in certain circumstances, change data protection impact assessments to make them focus only on high-risk processing, replacing ‘data protection officers’ with ‘senior responsible individuals’ (which may need UK organisations need both!). Oh, and the information commissioner will be abolished and replaced.
4) NIS2
Now ‘Network and Information Security Directive – the Sequel’ is not new as such. It’s necessary to comply with this in Europe by October 2024, and the UK seemed to be paralleling this with its own legislation. It should have been in the last King’s speech. Only… it wasn’t.
NIS2 makes a few changes, including:
- A three-stage process for reporting security incidents to the relevant authorities - an “early warning report” within 24 hours, an “incident notification” within 72 hours and a “final report” within one month.
- A registration for certain in-scope entities (including cloud providers and data centres).
- Obligations to implement technical and organisational measures to manage security risks, including supply chain security. This means that organisations that are not directly caught by NIS2 could also be impacted.
- Management bodies must: have regular training and must offer similar training to their employees.