21 May 2024
Cyber security has emerged as one of the foremost concerns for governments worldwide, with the potential to compromise national security and industries posing a systemic risk to stability. In response to this escalating threat, regulators are grappling with the challenge of crafting effective cyber security legislation to protect critical infrastructure and industry. However, navigating the complex legislative landscape presents a significant challenge for businesses, as compliance requirements vary across industries, organisation size and geographical regions.
Keeping pace with changes is crucial as the current legislation defines the lowest standards for cyber controls and has established a basic level of expectations. With concerns about how artificial intelligence (AI) will affect the cyber risk landscape, legislation is only going to get stricter.
Industry driving needs
The current legislative framework is characterised by industry-driven initiatives. For example, the water industry are setting their own cyber security expectations. While International Organisation for Standardisation's (ISO) 27001 has been the globally accepted industry standard for many years, organisations are increasingly adopting other frameworks like the Centre for Internet Security 18 (CIS 18), NIST and more recently NIS2 to bolster their cyber security protection.
Demonstrating compliance with these frameworks has become a standard prerequisite for operating within regulated industries, highlighting the importance of staying abreast of evolving legislative requirements.
Industries such as finance, utilities and healthcare are among the most heavily regulated. Financial institutions, including banks, payment providers and insurance companies, are subject to regulations such as the Financial Conduct Authority's (FCA) Handbook, operational resilience rules, and the Payment Card Industry Data Security Standard (PCI DSS), which mandate specific cyber security controls to protect customer financial information and prevent fraud. The Digital Operational Resilience Act (DORA) regulatory framework for digital operational resilience across financial services institutions is also coming into force across Europe later this year.
Legislation has naturally evolved in an industry led way as enforcing blanket legislation across many industries is extremely difficult. Naturally, therefore, legislative requirements are being set, with strong industry regulator enforcement helping to drive and improve cyber security standards.
Industries sitting outside of current legislation
Certain industries, such as retail and consumer markets, have been operating in an environment that has limited legislation specifically addressing cyber security. Unlike the more highly regulated sectors, such as financial services or healthcare, where compliance requirements are well-defined, industries such as retail have faced less scrutiny.
One of the primary reasons for the lack of specific cyber security legislation in these industries is the relatively lower perceived systemic risk compared to sectors dealing with finance, sensitive data or critical infrastructure. While retail and consumer markets certainly face cyber threats, such as payment card fraud and data breaches, the regulatory focus has often been on consumer protection rather than cyber security.
The absence of specific cyber security legislation however does not mean cyber security is not a priority for businesses operating in these industries. Many retailers recognise the importance of protecting customer data and maintaining trust in their brand reputation.
While there may be less regulatory oversight, businesses in these sectors often adhere to industry standards such as the PCI DSS and ISO 27001 to demonstrate their commitment to cyber security best practices.
Instilling operational resilience
Sitting at the heart of government legislative agendas is the aim of instilling operational resilience within organisations and wider economic infrastructures. By mandating effective cyber security controls, legislators seek to safeguard critical infrastructure and industries that could have a systemic impact if attacked.
However, industries that fall outside the scope of existing legislation face unique challenges in navigating the cyber risk landscape. Without clear regulatory guidance, organisations must take proactive measures to enhance their cyber security defences and mitigate emerging threats.
European legislation touching UK organisations
The European Union (EU) is moving to bring a minimum level of security controls across their member states. In addition to the General Data Protect Regulation (GDPR), two pieces of legislation helping to establish those controls, Network and Information Security Directive 2 (NIS2) and DORA come into force in October 2024 and January 2025 respectively.
While not directly applicable to UK businesses, NIS2 will impact organisations across a range of industries operating internationally with financial services firms impacted by both. Organisations need to consider if they are in scope of EU directives and how their systems and infrastructure is being used to provide services to EU clients or parts of their organisation in the EU. Organisations will need to consider how regulations, directives, acts and legislations interact and how they can successfully navigate compliance, and that can complex to determine.
NIS 2 | DORA |
The Network and Information Security Directive 2 (NIS2) aims to achieve a high common level of cyber security across the EU. It is the second piece of legislation aimed at this goal. The replacement of the first NIS directive has been enforced to strengthen the security requirements and create stricter enforcements. | The Digital Operational Resilience Act (DORA), is a European Union regulation that will apply from 7 January 2025. The legislation is predominantly focused at strengthening the security of financial services institutions across Europe, concentrating on operational resilience in the case of severe operational disruption. |
The global challenge of AI
Typically, transformational technology emerges and is adopted before governments can form appropriate regulations. It has taken from the widespread use of the internet in the 1990s, to 2023 for any legislation (the ) to enforce safety online. AI is no exception. Before the 2023 AI safety summit, the British Government had said that it would not ‘rush to regulate’ during an announcement of the creation of an AI safety body in the UK.
However, as AI continues to be increasingly adopted across industries, concerns about its potential for malicious use in cyber-attacks are becoming more prevalent. While governments have been slow to regulate AI, recent initiatives such as the European Union's Artificial Intelligence Act, signal a growing recognition of the need for regulatory oversight. However, the pace of regulatory action may not keep pace with technological innovation, leaving organisations to grapple with the risks posed by AI independently.
The reluctance of some governments to rush into regulating AI, including the UK, reflects the complex ethical and technical considerations at play. While AI holds immense potential for driving innovation and efficiency, its misuse poses significant risks to cyber security. As policymakers weigh the need for regulation against the imperative of fostering innovation, businesses must navigate a shifting regulatory landscape with caution.
Staying ahead of cyber security updates
The intersection of cyber security and legislation presents a complex and evolving landscape for businesses to navigate. While industry-driven initiatives and government mandates provide a framework for enhancing cyber security resilience, the rapid evolution of technology poses new challenges.
Organisations must remain vigilant in monitoring legislative developments and proactively adapt their cyber security strategies to mitigate emerging threats. By staying ahead of the curve, businesses can effectively navigate the cyber risk legislative landscape and safeguard their operations in an increasingly digital world.