What are the Cybersecurity Laws and Regulations in the UK and What Can Happen if a Business Fails to Comply?

It is not only in a business’ best interest to observe good cybersecurity behaviour and practices for the benefit of maintaining reputation, costs and resources, but also due to the various laws and regulations which must be adhered to. 

In this blog we will examine the cybersecurity laws and regulations which apply in the United Kingdom, what they require businesses to do, and the potential sanctions for incompliance.  

Network and Information Systems Regulations 2018  

The NIS regulations apply to Operators of Essential Services (OES) and Digital Service Providers (DSPs).  

OES are organisations (public or private) that provide services essential to the economy and society which place a heavy reliance on information networks. A DSP is an organisation providing a digital service in the UK as a search engine, online marketplace or cloud computing service. 

An OES must notify their designated Competent Authority “about any incident which has a significant impact on the continuity of the essential service which that OES provides.” 

Similarly, a DSP must notify the Information Commissioner “about any incident having a substantial impact on the provision of any of the digital services …that it provides.” 

Organisations contravening the NIS Regulations are subject to a maximum financial penalty of £17 million. It is also possible to be fined under both the NIS Regulations and the General Data Protection Regulations (GDPR) for the same incident (so-called ‘double jeopardy). 

Communications Act 2003 & Privacy and Electronic Communications (EC Directive) Regulations 2003 

The Communications Act (CA) requires Public Electronic Communications Network (PECN) providers and Public Electronic Communications Service (PECS) providers to take technical and organisational measures to manage risks to security.  

The Privacy and Electronic Communications Regulations (PECR) compels PECS providers to ensure the security of its services through technical and organisational measures to restrict who can access personal data and protect the way it is stored and transmitted. 

Both PECN and PECS providers must notify Ofcom of a breach of security that has a significant impact on its operation. 

When there is a data breach, a PECS provider must notify the Information Commissioner within 24 hours of detection, notify the individuals affected in certain cases and maintain a log of personal data breaches. 

As potential sanctions, Ofcom can impose fines up to £2 million for non-compliance with CA, and also suspend entitlement to provide network or services. 

For PECR, the Information Commissioner may impose enforcement notices, information notices and financial penalties up to £500,000 on PECS providers. Search and seizure investigations can also be carried out and there is a fixed monetary penalty of £1,000 for failing to comply with the breach notification requirement.  

Data Protection Act 2018 / UK GDPR 

These regulations apply when personal data is being processed. They require controllers to: 

• Process personal data in a manner that ensures appropriate security of the data (‘integrity and confidentiality’) 
• Observe data protection by design and default principles when building systems and processes  
• (and processors) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk 
• Report personal data breaches and inform affected individuals. Processors must inform the controller if they become aware of a breach 

The Data Controller must notify the Information Commissioner if there is a data breach within 72 hours from when it becomes aware. 

Sanctions for non-compliance could include a fine up to £17.5 million or 4 percent of total annual turnover in the preceding year. 

The Information Commissioner can also impose various notices including enforcement notices requiring the organisation to take or not take certain actions. 

Computer Misuse Act 1990 

Although the Computer Misuse Act (CMA) does not impose security obligations on businesses as such, it creates various cybercrime offences such as unauthorised access or interference with a computer. This can include intent to impact the operation of a computer (e.g. viruses, malware, spyware). 

CMA offences can bring heavy fines and sentences. Up to life imprisonment can be imposed for damage in respect to life, loss of life or national security, and up to 14 years for damage to the economy. 

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 

The Electronic Identification and Trust Services for Electronic Transactions Regulations (eIDAS) provide a framework allowing people and businesses to use electronic identification to access online public services in other EU Member States. The regulation has since been transposed in UK law. 

eIDAS also sets requirements for trust services, defining what trust service providers need to do to gain qualified status. 

Appropriate technical and organisational measures to manage the security risks posed to the trust services provided must be taken; particularly those to prevent and minimise the impact of incidents. 

The Information Commissioner must be notified within 24 hours of a breach to an electronic identification scheme. If there are affected users, they must also be notified. Moreover, the general public may also need to be informed about a breach by the trust provider. 

Relevant sanctions for eIDAS include: 

• A financial penalty of £1,000 
• Serving of an Enforcement Notice, requiring specified steps to be taken 
• Prosecution of organisations failing to comply with an Enforcement Notice 
• Reports made to Parliament 
• Fines of up to £17.5 million for serious failures to comply with served notices 

Summary 

Here we have examined the relevant cybersecurity regulations in the UK. It is in a business’ best interests to ensure they are complying with these laws and regulations as there can be severe consequences if they do not. 

A service such as that offered by Securiwiser can help ensure a business keeps their data and service provided secure by analysing potential vulnerabilities that could put it at risk. It is a business’ responsibility to ensure they are compliant with the relevant regulations.