The digital threat landscape in the United Kingdom (UK) continues to evolve as businesses that undergo a massive transition towards increased digitalization and cloud-based migrations are forced to change their IT system operations.
More importantly, UK laws and regulations must also adapt to ensure that UK businesses and organizations are working to improve their cybersecurity posture and IT infrastructure to protect data security and privacy. Especially during the post-Brexit era, businesses must ensure compliance with UK’s newest cybersecurity laws and regulations.
In this article, we will examine the most current cybersecurity laws and regulations in the UK, how to comply with them, the penalties and fees they impose for non-compliance, the newest legislative measures of the NIS Regulations, and which steps UK businesses can take to protect their networks, data, and systems.
List of Cybersecurity Laws and Regulations in the UK
While there is no overarching, primary national cybersecurity law, there are four critical legislation schemes that govern cybersecurity, data privacy, and data protection in the UK:
While those four are the most impactful pieces of legislation concerning cybersecurity in the UK, we’ll also cover the following:
- Telecommunications (Security) Act 2021
- UK eIDAS (Electronic Identification and Trust Services for Electronic Transactions Regulations 2016)
- PECR (Privacy and Electronic Communications Regulations)
There are also other global cybersecurity regulations and frameworks like the PCI-DSS, NIST, SOX, and HIPAA that many UK businesses and organizations actively follow. However, businesses are not obliged to follow them under UK law.
Learn the difference between a regulation and a cyber framework >
DPA (Data Protection Act 2018)
The Data Protection Act 2018 (DPA 2018) is the UK government’s primary law on personal data processing in the UK, which is enforced along with the UK-GDPR. It serves as a data protection framework that regulates all aspects of how businesses, organizations, and government bodies control and process personal data.
Because the UK is still considered an EU member-state in the post-Brexit era, many of its businesses are still subject to GDPR. However, the UK created its own version of the GDPR to better accommodate its domestic laws, called UK-GDPR.
The DPA 2018 requires all UK data controllers (companies and organizations that control the processing of personal data) to implement and maintain proper security measures for safeguarding personal data. More specifically, it applies to businesses that typically process customer data and records.
Is Compliance With the DPA 2018 Mandatory?
Yes. All businesses subject to the Data Protection Act of 2018 must have the appropriate measures for safeguarding data like personally identifiable information (PII), medical records, and customer data.
Additionally, data processors are required to report data breaches and cyber incidents to relevant authorities within 72 hours without undue delay, inform the controller of the data breach, as well as inform everyone involved in the data breach.
What Are the Penalties for DPA 2018 Non-Compliance?
If UK organizations fail to comply with the DPA 2018, they may be fined up to £17.5 million or 4% of annual global turnover.
Additionally, under the Data Protection (Charges and Information) Regulations 2018, controllers that process personal data are obliged to pay an annual data protection fee to the Information Commissioner’s Office (ICO), depending on the size and turnover of the company.
How the Data Protection Act Works in Conjunction With the UK-GDPR
The Data Protection Act 2018 complements and brings the data protection efforts of the GDPR into UK data protection law. Both the UK-GDPR and the DPA 2018 work together in conjunction to regulate data protection and data privacy in the UK.
Both the UK-GDPR and DPA 2018 require all UK businesses, organizations, and government entities to implement strong cybersecurity measures to properly safeguard the personal data they collect and process and minimize security breaches.
While the Data Protection Act 2018 applies to all UK businesses that control the processing of personal data, the GDPR applies to those that process personal data on behalf of controllers.
Cyber criminal offenses covered by the DPA 2018 include the destruction, falsifying, unlawful use, or unlawful obtainment of personal data, as well as altering information to prevent disclosure to the data subject.
The DPA 2018 ensures that UK individuals have the freedom to be informed how their data is used by UK organizations and government bodies, and they may request the data be deleted, updated, or reused or object to how it’s processed.
UK-GDPR (UK General Data Protection Regulation)
The UK-GDPR (General Data Protection Regulation) is the United Kingdom’s data security regulation that’s tailored by and complements the Data Protection Act 2018. Also modeled after the EU-GDPR, it governs and regulates how UK organizations and businesses collect, store, use, and process personal data.
Prior to Brexit, data handling regulations were part of the EU-GDPR under the jurisdiction of the EAA (European Economic Area). Although the UK today isn’t affiliated with European policies, it reuses the same components of the regulation with slight adjustments and modifications to fit with the domestic laws in the UK.
The UK-GDPR regulation applies to every country in the United Kingdom (England, Scotland, Wales, and Northern Ireland), and it mandates businesses to protect all personal data by only allowing third-party entities access to the personal data that are “subject to sufficient guarantees involving the security of the processing services.”
Additionally, the UK-DGPR protects the rights of data subjects (people whose data is held, according to the Data Protection Act 2018) to control how their data is handled.
The UK-GDPR recognizes seven main principles of how organizations process personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The UK-GDPR regulations mandate businesses to store, handle, and process UK citizens’ data in a manner that meets the requirements of the principles.
Read here to learn more about the seven principles and how they help with compliance.
Is Compliance With the UK-GDPR Mandatory?
All UK organizations and businesses that are involved in the collection, handling, storage, or processing of personal/private data of all entities in the United Kingdom must comply with the UK-GDPR.
The UK-GDPR applies to UK organizations that are processors and controllers of personal data and are obliged to implement security measures for safeguarding personal data, as recommended by UK-GDPR guidelines.
One of the main steps in achieving UK-GDPR compliance, as well as DPA compliance, is to:
- Adhere to the seven principles of data processing
- Create an IT Security Policy to meet the GDPR's security requirements
- Implement strong data protection concepts
What Are the Penalties for UK-GDPR Non-Compliance?
Organizations that fail to comply with the UK-GDPR may be penalized by a maximum fine of up to £17.5 million (€20 million) or 4% of their overall annual turnover (whichever is greater). Businesses can be fined even if they aren’t affected by a cyber attack or data breach if they fail to implement adequate security standards for third-party data accessibility.
NIS (Network and Information Systems) Regulations
One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems (NIS Regulations) 2018, which was transposed from the EU Cybersecurity Directive prior to Brexit.
The primary mandate of the NIS Regulations is to “detect and manage the threats to the security of network and information systems in an acceptable and proportional manner.”
While the primary focus is cybersecurity, it also includes regulating non-cyber threats like power outages, disruptive events, or network failures caused by environmental disasters.
The regulations offer legal measures and impose cybersecurity obligations for:
- Relevant digital service providers (RDSPs — cloud computing service providers and online marketplace providers)
- Operators of essential services (OES — healthcare, energy, transport and infrastructure, and other public services)
These service providers are obligated to meet the requirements for cybersecurity and register with the relevant competent authorities.
Similarly to the UK-GDPR and DPA 2018, service providers must also report significant cybersecurity incidents to relevant authorities and regulators like the Ofcom (Office of Communications, Ofgem (The Office of Gas and Electricity Markets), and the ICO, without undue delay.
Is Compliance With the NIS Regulations Mandatory?
Yes. All UK OES and RDSPs must maintain compliance with the NIS Regulations.
To comply with the NIS regulations, all UK OES and DSPs are required to implement adequate cybersecurity measures and cyber resilience programs that include:
- Implement adequate and robust cybersecurity measures,
- Create incident response plans and report all incidents to the relevant operators
- Undertake risk assessments
- Focus on business continuity management
- Maintain cybersecurity monitoring
- Regular auditing
- Regular penetration testing and vulnerability management
- Compliance with relevant international standards like ISO 27001, ISO 27035, PCI-DSS, and HIPAA, where relevant, may also provide foundations for NIS compliance
What Are the Penalties for NIS Regulations Non-Compliance?
The NIS regulations are enforced by the imposition of severe fines, and non-compliance is followed by financial penalties. Any UK OES and RDSPs that fail to meet the requirements may face a penalty of up to £17.5 million (€19 million) or 4% of annual global turnover (whichever is greater).
What Is the Difference Between the NIS Regulations and GDPR?
Whereas the NIS Regulations only regulate the security of information systems for relevant digital service providers (RDSPs) and operators of essential services (OES), the GDPR applies to all organizations that handle personal data.
The good news is that many of the NIS Directive and Regulations’ provisions are consistent with the UK-GDPR. UK organizations that comply with the UK-GDPR may also simultaneously meet the requirements that are in conjunction with the NIS Regulations.
Computer Misuse Act 1990
The Computer Misuse Act 1990 is the main cybersecurity act that regulates the UK’s digital relationship between individuals and malicious parties. It is enforced directly with the Data Protection Act 2018 and the UK-GDPR, which protect UK residents’ personal data.
Primarily designed in 1990 to protect telephone exchanges, the Computer Misuse Act 1990 also prosecutes criminals for unauthorized access to computers for the purpose of modifying, removing, or tampering with data, as well as malicious cybercrime and cyber attacks like ransomware and DDoS attacks.
This includes cybercriminals that have committed a cybercrime in the UK or computers that are located in the UK. The information that’s illegally accessed by a cybercriminal doesn’t necessarily need to be PII (personally identifiable information) that cybercriminals use to commit identity fraud or identity theft.
As stated by the CPS (Crown Prosecution Services), a “computer” refers to devices like smartphones, tablets, and other devices besides personal desktop computers that store, retrieve, and process sensitive information and data.
Regarding Ethical Hacking
The most common challenge posed by the legal measures of the Computer Misuse Act 1990 is the regulation of ethical hacking, which is technically illegal under the act because it defines all non-consensual system access as a crime, regardless of cybersecurity benefits.
The Computer Misuse Act 1990 is more than 30 years old, and although it has been amended since then, UK organizations and businesses believe that it unintentionally inhibits the work of ethical hackers.
Cybersecurity researchers, cyber threat analysts, and penetration testers face difficulties in operating within the scope of the regulation. The act may benefit from updated sections that better illustrate the difference between ethical and malicious hacking.
While cybersecurity teams do not have much space to perform ethical hacking under this act, there are no existing cases of UK cybersecurity teams being penalized for ethical hacking.
Is Compliance With the Computer Misuse Act 1990 Mandatory?
The Computer Misuse Act 1990 prosecutes cybercriminals if they commit the following illegal activities:
- Gaining unauthorized access to a computer’s data and sensitive information with malicious intent and without permission
- The intentional use of computers to commit a crime or harm others
- The modification, removal, tampering with, or ransom of personal data via malware and viruses
- Complacency and aiding computer misuse by creating or obtaining information to perform other cybercrimes
What are the Non-Compliance Penalties for Computer Misuse Act 1990?
The fines and prison sentences for breaking the law under the Computer Misuse Act 1990 vary but generally include the following:
- £5,000 fine or a six-month sentence for unauthorised access to or malicious use of data;
- Unlimited fine or a five-year prison sentence for intention to commit cybercrime;
- Unlimited fine or a five-year prison sentence for the modification, malicious tampering, removal, and data ransom
- Unlimited fine or a 10-year prison sentence for complacency and aiding in computer misuse
Telecommunications (Security) Act 2021
The Telecommunications (Security) Act, which came into effect in November 2021 (full implementation expected by March 2024), is a strict, all-encompassing act that regulates the network security against cyberattacks of all mobile carriers in the UK.
The new regulations are amended after the Communications Act 2003, and they’re enforced and formulated by Ofcom with the help and input from the National Cyber Security Centre.
This act covers how telecommunication providers procure infrastructure and services such as 5G networks and the incentives to protect the software, equipment, and data processed by networks and services.
The Telecommunications (Security) Act includes:
- How CSPs (communication service providers) monitor activity and access;
- How they monitor security and data protection investments;
- How service providers inform stakeholders about data breaches or cyber incidents.
Is Compliance With the Telecommunications (Security) Act Mandatory?
Complying with the UK Telecommunications (Security) Act is mandatory for communications service providers (CSPs).
The act requires CSPs to:
- Minimize cybersecurity risks
- Safeguard the information that’s handled by their networks information
- Focus on supply chain risks and handle who has access to their networks and services
- Promptly inform the regulator in case of cybersecurity breaches
- Protect the monitoring and analysis of hardware and software of their network and services
- Enhance their ability to understand and identify cybersecurity anomalies and report any unusual activities
What Are the Penalties for Telecommunications (Security) Act Non-Compliance?
Failure to comply with the Telecommunications (Security) Act means that UK mobile carriers and broadband service providers may face fines of £117K/day or 10% of annual revenues, which is enforced by Ofcom.
UK eIDAS (Electronic Identification and Trust Services for Electronic Transactions Regulations 2016)
The eIDAS Regulation, or the Electronic Identification and Trust Services for Electronic Transactions Regulation, covers UK services that verify UK citizens’ identity and businesses online, as well as the authenticity of their electronic records and documents.
The eIDAS Regulation is a legal framework that outlines the requirements for trust service providers in regard to electronic signatures, time stamps, digital documents, and certificate services to achieve a qualified status as a trust service provider. Having a trust service certificate shows that the business is reputable and that customers can trust it with the authenticity and verification of their electronic data.
Under the eIDAS Regulation, UK trust service providers must implement organizational measures for cybersecurity risk management to minimize the impact of security incidents in the case of an electronic identification scheme breach.
While these are the ENISA (European Union Agency for Network and Information Security) documents as part of the EU eIDAS Regulation, they represent an applicable resource for UK eIDAS compliance as well.
Read here to learn more about guidelines and recommendations on compliance with the eIDAS Regulation.
Is Compliance With UK eIDAS Mandatory?
Trust service providers must report all cyber breaches and notify a designated ICO (Information Commissioner) within 24 hours, as well as all affected parties.
The Information Commissioner acts as an enforcement entity and supervisor that carries out audits and may revoke and grant the trust service qualified status for all UK service providers that are covered by the eIDAS Regulation.
What Are the Penalties for UK eIDAS Non-Compliance?
If a trust service provider fails to comply with a UK eIDAS enforcement/assessment/information notice by the ICO, they may be penalized by fines up to £17.5m or 4% of their total worldwide annual turnover.
PECR (Privacy and Electronic Communications Regulations)
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is the UK’s law for electronic communications networks and services in line with the Data Protection Act and the UK-GDPR, regulating privacy rights regarding electronic communication.
PECR plays a major part in maintaining the security of UK communication services, customer privacy, and location data, and it also criminalizes transmitting automated and recorded marketing messages via phone, email, fax, or text without the consent of the subscriber. Additionally, it also regulates the use of tracking cookies.
PECR works in conjunction with UK-GDPR, and it utilizes the UK GDPR standard of consent. Businesses that use tracking cookies or work with electronic marketing must be compliant with both the UK-GDPR and PECR, and the overlapping of both regulations’ data privacy requirements means that businesses that comply with PECR may also meet the requirements of the UK-GDPR.
Is Compliance With PECR Mandatory?
Yes, compliance with PECR is mandatory. Businesses that fail to comply will be penalized by the ICO.
To comply with PECR, businesses must:
- Notify the ICO and all affected parties in case of a data breach within 24 hours of detection, and maintain a log
- Ask for customer consent for tracking cookies
- Specify how long the cookies will be in use.
What Are the Penalties for PECR Non-Compliance?
Businesses and organizations that fail to meet PECR requirements face auditing and non-criminal enforcement. Frequent infringers may face being penalized by the Information Commissioner with a fine of up to £500,000 or criminal prosecution.
Reporting Cybercrime in the UK
Whether it’s a minor offense like an unintentional data leak or a severe cybercrime like hacking, all cybercrimes in the UK must be reported to respective reporting centers and law enforcement agencies for cybercrime.
There are organizations in the UK that serve as cybercrime reporting centers, and some also offer guidance for mitigation and fraud prevention tips.
National Cyber Security Centre (NCSC)
While the UK has no national CERT (computer emergency response team) or CSIRT (computer security incident response team), the NCSC plays a significant role in informing and providing technical support and guidelines to UK businesses and organizations for reporting cyber incidents.
The NCSC, which is part of GCHQ (Government Communications Headquarters), has a significant role in technical authority for cybersecurity that:
- Acts as a CSIRT that offers guidance and support to organizations that have reported a cybersecurity incident
- Engages with EU partners as a SPOC (Single Point of Contact) for submitting yearly cybersecurity incident statistics and coordinating requests
- Advises operators of essential services and competent authorities with cybersecurity knowledge and technical expertise for NIS security principles, cyber assessment frameworks, and best practices
- Serves as the national breach notification and cybercrime reporting organization, providing guidance and suitable incident response procedures for the UK public
The Cybersecurity Information Sharing Partnership
The CiSP (Cybersecurity Information Sharing Partnership) is a government-funded initiative that works together with the National Cyber Security Centre in a joint effort to exchange real-time cyber threat info with the NCSC to increase cybercrime awareness and minimize security breaches in the UK.
The CiSP serves as a digital service that encourages private UK sectors and organizations to work together with government sectors to prevent cybercrime.
Practical Steps for Regulatory Compliance for UK Organizations
For compliance with the requirements of the GDPR, NIS Regulations, and other laws that mandate cybersecurity and data protection, UK businesses should follow these instructions:
- Regularly update systems and software
- Use strong passwords that combine uppercase and lowercase letters, numbers, and symbols, and avoid using duplicate passwords
- Implement full-disc encryption on their systems
- Use the principle of least privilege in IT systems to improve the security of access privileges for staff and employees
- Create and maintain strong incident response plans and disaster recovery plan in order to notify the UK-GDPR and NIS within the required 72 hours after a cyber incident
- Regularly scan all sent and received data, info, messages, and attachments
- Use an effective standard configuration for IT equipment and assets
- Maintain inventory of all IT equipment, digital assets, and software
- Minimize the use of removable data storage devices like USB drives or external hard disks for improved data protection against misuse, data leaks, and data loss
- Install firewalls to ensure a safe network
- Use AI, machine learning, and automation to improve the endpoint detection and identification, incident response process, and overall cybersecurity strategy of the company
- Regularly maintain security audits and security reviews like vulnerability scans, vulnerability management, and penetration testing
- Ensure authorized access to important data is solely granted to privileged employees if they’re using their own devices to connect to networks
- When disposing of storage devices, create data wipe policies and follow best practices in deleting all data to protect against data leaks
- Implement internal company policies for the safe use of emails and web browsing against malicious attacks
- Implement employee training and best practices to help them identify ransomware and threats of identity theft, as well as prevent data breaches that may result in intellectual property theft
- Regularly log and monitor the use of all digital assets and IT systems
- Ensure all cybersecurity staff is accredited by a critical regulatory body
- Strive to meet and maintain compliance with regulatory bodies like ISO 27001
- Ensure the company effectively uses cybersecurity resources by regularly assessing and evaluating all attack vectors in the cyber threat landscape