In a recent update from the Secretary of State for the Department for Science, Innovation and Technology (found here, Cyber security and resilience policy statement – GOV.UK), the UK Government has started to address some of this anticipation, dropping clues as to how the CS&R Bill will look when compared to its European cousin. So, what have we learnt about the Bill and its alignment with NIS2?

Expanded scope

In addition to the current in-scope sectors (energy, transport, health, drinking water supply and distribution, and digital infrastructure, as well as some digital services such as online marketplaces, search engines and cloud computing), the policy statement confirms the intention to bring Managed Service Providers (“MSPs“) within the remit of cyber security regulation, subjecting them to the same duties as ‘relevant digital service providers’ under the current NIS regulations. MSPs (also regulated by NIS2) are B2B services that provide IT systems, infrastructure and network support.

The Government also demonstrated its commitment to bolster supply chain security for operators of essential services (“OES“) and relevant digital service providers (“RDSPs“) that meet certain thresholds. Secondary legislation is intended to be used as a vehicle for imposing stricter duties on contractual requirements, security checks and continuity plans in an effort to target underlying cyber vulnerabilities in supply chains echoing, if not exceeding the requirements of NIS2 to ensure cybersecurity controls extend to the supply chains of in-scope entities. Additionally, regulators will have the power to identify suppliers of critical services (including SMEs) whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers” (“DCS“), bringing them within scope of core security requirements and reporting obligations.

While expansion of the UK’s cybersecurity regime to include MSPs and critical supply chains will bring us one step closer to the reforms sweeping EU nations, it is unclear whether the UK will follow Europe in expanding the scope of cyber regulation to include sectors such as public administration entities, space, manufacturing, food production and postal and courier services (to name but a few).

Regulatory reinforcement

Perhaps amongst the measures most easily associable with the CS&R Bill’s European counterpart will be the updated incident reporting criteria. Incidents that are “capable of having a significant impact on the provision of essential or digital services and that significantly affect the confidentiality, availability, and integrity of a system” will need to be reported. This closely follows the requirements found in Art 23 of NIS2, as does the requirement that entities such as data centres and those providing digital services will be obligated to report incidents directly to customers in certain instances.

Equally alike in their resemblance to NIS2 are the reporting deadlines, with the relevant regulator and National Cyber Security Centre (“NCSC“) to be notified of significant incidents within 24 hours, and further incident reports to be provided within 72 hours. As the policy statement makes clear, “in practice [the Government] intends this procedure to be similar to, and no more onerous, than the… NIS2 directive“.

To provide some steer to regulators in their additional duties, the Government aims to issue a code of practice setting out guidance on minimum regulatory requirements which will put the existing NCSC Cyber Assessment Framework (CAF) profiles on a firmer footing and extend their scope to include OES. Particular focus is also given to the UK Information Commissioner (“ICO“) as a national guardian of cyber security, with a raft of seemingly familiar powers relating to registration and notice requirements, information sharing and enforcement, being introduced to support risk identification and mitigation. This all comes with a boost in financial means, as regulators will be able to set fees regimes and recover costs through various measures in order to contribute to financing their increase in regulatory work.

Measures to keep on your radar

Despite not confirming their inclusion in the CS&R Bill, the Government flagged upcoming measures to keep an eye on. Most notable would be the classification of data centres as an essential service, bringing them within scope of the regulatory framework and aligning with NIS2’s approach. This has been contemplated since their designation as Critical National Infrastructure in September 2024 and would aim to strengthen the level of consistency and protection across the sector.

Other contemplated measures include bolstered powers for the Secretary of State, allowing a Statement of Strategic Priorities to be issued as well as powers of direction relating to entities and regulators. Collectively, these would allow the Government to require certain actions be taken to address significant incidents and threats to national security.

Conclusion

In summary, it is clear that the Government’s planned amendments to the current NIS Regulations will make clear and decisive steps to bridge UK cyber laws and the new European NIS2 regime. However, the CS&R Bill does not appear to be following NIS2 in expanding the reach of its reforms to a raft of new industries. While Managed Service Providers are the biggest industry to whom new UK laws will apply, it is likely that many of the industries new to the NIS2 regime – for example food producers and chemicals manufacturers – will remain beyond the UK’s cyber reforms. Only time will tell whether that remains the case when the fully-formed Bill hits the statute books, the timing of which is still unclear.

From the little we do know however, it is evident that the burden and application of cyber regulation together with accompanying cyber certifications and industry standards will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Only then can businesses be ready for the inevitable swathe of new cyber regulation hitting UK shores, as well as the very real cyber threat it is all aimed at combatting.

Executive Order 14117, and the implementing Final Rule , intends to address the threat of foreign powers and state-sponsored threat actors using Americans’ sensitive personal data for malicious purposes. The Final Rule sets out the conditions under which a bulk transfer of sensitive personal data or US government-related data to a country of concern or covered person will be permitted, restricted or prohibited.

The Final Rule underpins the higher levels of scrutiny from the US government over bulk cross-border data transfers which may pose a risk to the US national interests, and the tightening of compliance requirements on US companies to protect sensitive personal data and government data when engaging with these countries, or those connected.

Scope of the Final Rule

The key elements determining the applicability and scope of the Final Rule, when applied to a data transaction by a US entity, are:

• Countries of Concern: As noted above, the Final Rule designates six countries as countries of concern: (1) China (including Hong Kong SAR and Macau SAR), (2) Cuba, (3) Iran, (4) North Korea, (5) Russia, and (6) Venezuela. The transfer of sensitive data to Covered Persons within these jurisdictions could therefore be captured.
• Covered Persons: The Final Rule defines four classes of covered persons as the transacting party that will require additional scrutiny: (1) foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are 50% or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern.
• Sensitive Personal Data: The Final Rule regulates transactions involving six categories of sensitive personal data: (1) certain covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic); (5) personal health data; and (6) personal financial data.
• Bulk Sensitive Personal Data: Within these Sensitive Personal Data categories, different thresholds for the volume of data being transferred are applied. These thresholds determine the applicability of the Final Rule to the transaction. The prohibitions and restrictions apply to covered data transactions involving sensitive personal data exceeding certain thresholds over the preceding 12 months before the transaction. For example, compliance requirements for the transfer of precise geolocation data will not be triggered unless location data from over 1,000 US persons or devices is being transferred. Contrastingly, the data transfer of the personal identifiers (such as social security numbers) of over 100,000 US persons will be required before the threshold is met. The definition of ‘bulk’ and how this applies across the categories of personal data is therefore key.

Prohibited or restricted transactions?

Alongside these key elements, the Final Rule determines that the type of transaction under which the data is being transferred will inform whether the transaction is restricted, prohibited or exempt from scrutiny. A transaction falling into the category of restricted will impose the new, additional compliance requirements on US Companies before the transaction can proceed.

The Final Rule prohibits transactions involving (1) data brokerage (i.e., “the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data”), and (2) covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived. The outright prohibition on data brokerage agreements with countries of concern is extended further, with the Final Rule also requiring US persons to contractually ensure that data brokerage transactions with other foreign persons, who are not countries of concern or covered persons, do not enable the transfer of the same data to countries of concern under subsequent arrangements. This additional safeguard on data brokerage where sensitive personal data is involved underlines the requirement for sufficient due diligence with overseas partners.

Vendor, employment, and non-passive investment agreements are captured as restricted transactions. These transactions are permitted if they meet certain security requirements developed by the Cybersecurity and Infrastructure Agency (CISA).

Finally, data transactions which fall under categories such as (but not limited to) personal communications that do not transfer anything of value, ordinary corporate group transactions between a U.S. person and its foreign subsidiary or affiliate, and financial services involving transactions ordinarily incident to and part of providing financial services, are exempt from any compliance requirements under the Final Rule: illustrating the practical intention of the requirements.

Compliance obligations

CISA requirements detail the types of cybersecurity, data retention, encryption and anonymisation policies, alongside other measures, that can be adopted by US companies in order to bring a restricted transaction into compliance, ensuring the safety of sensitive personal data.

An enhanced due diligence exercise is therefore expected when seeking to transact with covered persons, where the bulk transfer of sensitive personal data is a possibility. Key features of this include the implementation of a data compliance program, including comprehensive policies, procedures and record keeping surrounding data involved in a restricted transaction, as well the completion of third-party audits to monitor compliance with the Final Rule. Finally, reporting is expected when engaging in restricted transactions, demonstrating the depth of US government oversight and interest in these transactions.

FAQs, Compliance Guide and Enforcement Policy

On April 11, 2025, the Department of Justice published answers to Frequently Asked Questions;  a Compliance Guide; and issued a Implementation and Enforcement Policy for the first 90 days of the Final Rule. (i.e. through July 8, 2025). 

• Compliance Guide. The Compliance Guide aims to provide ‘general information’ to assist individuals and entities when complying with the Data Security Program (“DSP”), established by the Department of Justice’s National Security Division to implement the  Final Rule and Executive Order 14117. The Compliance Guide includes guidance on a number of different areas, including, key definitions, steps that organizations should take  to comply with the Final Rule, model contract language and prohibited and restricted data transactions.

• FAQs. The Department of Justice has provided answers to more than 100 FAQs, which aim to provide high level clarifications about Executive Order 14117 and the DSP, including, for example, answers to questions in relation to scope of the DSP;  the effective date of the Final Rule; definitions , exemptions; and enforcement and penalties.

• Implementation and Enforcement Policy for the First 90 Days (“the Policy“): The Policy states that during the first 90 days, enforcement will be limited “to allow U.S. persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the DSP “. Specifically, the Policy is clear that there will be limited  civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 “so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time”. The Policy provides examples of ‘good faith efforts’, including: conducting internal reviews of access to sensitive personal data; renegotiating vendor agreements or negotiating contracts with new vendors; transferring products and services to new vendors; implementing CISA security requirements; adjusting employee work locations, roles or responsibilities; and evaluating investments from countries of concern or covered persons. The Policy stated that at “the end of this 90-day period, individuals, and entities should be in full compliance with the DSP.”

Next steps

Whilst certain due diligence, auditing, and reporting obligations will not become effective until October 2025, preparation for effective oversight and compliance with the CISA requirements can begin now. In particular, organisations should assess current compliance measures in place to identify potential compliance gaps and establish controls to address those gaps, in order to be able to demonstrate that they are engaging in “good faith efforts.” DLA Piper can advise on a review of current policies and procedures and preparing effectively for transactions that may fall within the Final Rule.

DBN Guideline

When must a personal data breach be notified to the regulator and affected data subjects?

A data controller must notify a personal data breach to both the Commissioner andaffected data subjects if it causes or is likely to cause “significant harm”, which includes a risk for any of the following:

• physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• misuse of personal data for illegal purposes;
• compromise of sensitive personal data;
• combination of personal data with other personal information that could potentially enable identity fraud; or
• (for the purpose of notification to the Commissioner only) a breach of “significant scale”, i.e. involving more than 1,000 affected data subjects.

What is the timeframe to make data breach notifications?

The timeframe for notifications is as follows:

• Notification to the Commissioner: as soon as practicable and within 72 hours from the occurrence of the breach. If notificationfails to be made to the Commissioner within 72 hours, a written notice detailing the reasons for the delay and providing supporting evidence must be submitted; and
• Notification to affected data subjects: without unnecessary delay and within seven days of notifying the Commissioner.

What are the other key obligations related to personal data breaches?

A data controller should:

• DPA:  contractually obligate its data processor to promptly notify it of a data breach and to provide it with all reasonable and necessary assistance to meet its data breach notification obligations;
• Management and response plans: put in place adequate data breach management and response plans;
• Training: conduct periodic training as well as awareness and simulation exercises to prepare its employees for responding to personal data breaches;
• Breach assessment and containment: act promptly as soon as it becomes aware of any personal data breach to assess, contain, and reduce the potential impact of the data breach, including taking certain containment actions (such as isolating compromised systems) and identifying certain details about the data breach in its investigation; and
• Record-keeping: maintain a register of the personal data breach for at least two years to document the prescribed information about the data breach.

DPO Guideline

Who are required to appoint DPOs?

An organisation, in the role of either a data controller or a data processor, is required to appoint a DPO if its processing of personal data involves:

• personal data of more than 20,000 data subjects;
• sensitive personal data including financial information of more than 10,000 data subjects; or
• activities that require “regular and systematic monitoring” of personal data.

Who can be appointed as DPOs?

DPOs may be appointed from among existing employees or through outsourcing services based on a service contract. They must:

• Expertise: demonstrate a sound level of prescribed skills, qualities and expertise;
• Language: be proficient in both Malay and English languages; and
• Residency: be either resident in Malaysia or easily contactable via any means.

What are the other key obligations related to DPO appointments?

A data controller required to appoint a DPO should:

• Notification: notify the Commissioner of the appointed DPO and their business contact information within 21 days of the DPO appointment;
• Publication: publish the business contact information of its DPO through:

• its website and other official media;
• its personal data protection notices; or
• its security policies and guidelines; and
• Record-keeping: maintain records of the appointed DPO to demonstrate compliance.

A data processor required to appoint a DPO should comply with the publication and record-keeping obligations above in relation to its DPO.

Next Steps The new guidelines represent a significant step in the implementation of the newly introduced data breach notification and DPO appointment requirements. All organisations subject to the PDPA, whether data controllers or processors, should carefully review the guidelines and take steps to ensure compliance by 1 June 2025. This includes updating relevant internal policies (such as data breach response plans and record-keeping and training policies) and contracts with data processors to align with the guidelines. Additionally, organisations should assess whether a DPO appointment is necessary and, if so, be prepared to complete the appointment and notification processes and update their privacy notices, websites and other media to include DPO information.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data outside of China (“CBDTs“).

To recap, Chinese law requires data controllers to take one of the following three routes to legitimize CBDTs, unless they qualify for specific exemptions under the Provisions on Promoting and Regulating Cross-Border Data Flows (click here for our summary, “Provisions“) or local rules:

• CAC security assessment;
• Standard Contractual Clauses (“SCCs“) filing; or
• CAC-accredited certification.

If enacted, the Draft Measures will provide significant clarity regarding the certification route, offering data controllers both within and outside of China a viable option for compliance of CBDTs. Below is a practical guide to the key provisions of the Draft Measures, along with our recommendations for data controllers engaged in CBDTs in light of this new regulation.

Who can utilise the certification route?

Data controllers in China: In alignment with the conditions outlined in the Provisions, the Draft Measures reiterate that a data controller in China may pursue the certification route if:

• the data controller is not a critical information infrastructure operator (“CIIO“);
• no important data is transferred outside of China; and
• it has cumulatively transferred non-sensitive personal data of 100,000-1,000,000 individuals or sensitive personal data of less than 10,000 individuals outside of China since the beginning of the year.

It is worth noting that these conditions are the same as those for taking the SCCs filing route, making the certification route an effective alternative to the SCCs filing route for data controllers in China.

Overseas data controllers: The certification route is also available to data controllers outside of China that fall under the extraterritorial jurisdiction of the Personal Information Protection Law (“PIPL“), i.e. those processing personal data of residents in China to provide products or services to them or analyze or evaluate their behavior.

The Draft Measures do not specify the volume threshold or other conditions for overseas data controllers to take the certification route. It remains to be clarified whether overseas data controllers with a limited scope of CBDTs (e.g. those not reaching the volume threshold for data controllers in China as outlined above) can be exempted from obtaining certification or following the other legitimizing routes.

From which certification bodies can a data controller obtain the certification?

Certification bodies that have received approval from the State Administration for Market Regulation (“SAMR“) and have completed a filing process with the CAC are qualified to issue the CBDT certification.

What are the evaluation criteria for the certification?

The evaluation for the certification will focus on the following aspects:

• the legality, legitimacy and necessity of the purposes, scope and methods of the CBDT;
• the impact of the personal data protection laws and policies and network and data security environment of the country/region where the overseas data controller/recipient is located on the security of the transferred personal data;
• whether the overseas data controller/recipient’s level of personal data protection meets the requirements under Chinese laws, regulations and mandatory national standards;
• whether the legally binding agreement between the data controller and the overseas data recipient imposes obligations for personal data protection;
• whether the organizational structure, management system, and technical measures of the data controller and the overseas data recipient can adequately and effectively ensure data security and protect individuals’ rights and interests regarding their personal data; and
• other aspects deemed necessary by certification bodies according to relevant standards for personal information protection certification.

Are there special requirements for overseas data controllers pursuing certification?

Yes. An overseas data controller governed by the PIPL seeking certification must submit the application with the assistance of its dedicated institution or designated representative located in China (the presence of which is a requirement under the PIPL).

The Draft Measures also make it clear that overseas data controllers must, like data controllers in China, assume legal responsibilities associated with certification processes, undertake to comply with relevant Chinese data protection laws and regulations, and be subject to the supervision by Chinese regulators and certification bodies.

How are certification processes and results supervised?

The Draft Measures grant supervisory powers to both the SAMR and the CAC. They can conduct random checks on certification processes and results; and evaluate certification bodies. Certified data controllers will also be under continuous supervision by their certification bodies.

If a certified data controller is found to no longer meet the certification requirements (e.g. the actual scope of the CBDT is inconsistent with that specified in the certification), the certification will be suspended or revoked, which action will be made public. 

Are there ancillary rules and standards on the horizon?

Probably yes. The Draft Measures indicate that the CAC will collaborate with relevant regulators to formulate standards, technical regulations, and conformity assessment procedures for CBDT certification and work alongside the SAMR to develop implementation rules and unified certificates and marks for CBDT certification.

Is the certification likely to be recognised in other jurisdictions?

Probably yes. According to the Draft Measures, China will facilitate mutual recognition of personal information protection certification with other countries, regions, and international organizations.

Recommendations

As discussed, the Draft Measures make available a tangible certification route to legitimize CBDTs for data controllers both within and outside of China. Data controllers should carefully evaluate and choose between the three legitimizing routes when engaging in CBDTs, considering their respective pros and cons and suitability for the controllers’ specific patterns of CBDTs. For example, the certification route may be advantageous for complex CBDTs among multiple parties where signing of SCCs is challenging. To make well-informed decisions, data controllers engaged in CBDTs are recommended to closely monitor developments related to the Draft Measures in the months following the conclusion of the public consultation period on 3 February 2025, and remain vigilant for any release of ancillary rules and standards. This is particularly necessary because some important details about the certification route, such as the validity period of the certification and any thresholds for overseas data controllers to take the certification route, remain unclear.

Overseas data controllers processing personal data of residents in China should also be aware of the Draft Measures, as they specifically outline the certification route. This represents a further enhancement of Chinese regulations governing overseas data controllers, following clarifications regarding the procedure for reporting dedicated institutions or designated representatives of overseas data controllers under the Network Data Security Management Regulation that took effect on 1 January 2025 (click here for our summary). Given this trend, overseas data controllers processing personal data of residents in China should consider assessing whether they fall under the extraterritorial jurisdiction of Chinese data protection laws and, if so, evaluating the practical risks of non-compliance with such laws (e.g. the impact of potential service disruptions or access restrictions). If compliance with Chinese data protection laws turns out to be necessary, it is advisable to implement a comprehensive program to navigate how China’s CBDT restrictions and, more broadly, its complex data regulatory framework may apply to the overseas data controller and devise compliance strategies.

It is also important to remember that the legitimizing routes are not the sole requirement for CBDTs under Chinese law. Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including obtaining separate consent from data subjects, conducting personal information impact assessments, and maintaining records of processing activities.

The majority of the amendments to the Privacy Act 1988 (Cth) will commence the day after the Privacy Act Bill receives Royal Assent, with a few exceptions.

The Privacy Act Bill contains key amendments to the Privacy Act including:

• A statutory tort for serious invasions of privacy – this will only apply (amongst other criteria) where the conduct in question was intentional or reckless, and this section of the Bill will take effect no later than six months after the Act receives Royal Asset.
• The framework for a Children’s Online Privacy Code – this will be developed by the Information Commissioner and will apply to social media platforms and any online services likely to be accessed by children.
• Tiered sanctions for less serious privacy breaches – this includes civil penalties of up to AUD 3.3 million for an “interference with privacy” and lower level fines of up to AUD 330,000 for administrative breaches, such as deficient privacy policies.  The headline penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover, remain for conduct which amounts to a “serious interference with privacy”.
• Requirements to include details of the use of automated decision making into privacy policies, where personal information is used in wholly or substantially automated decision making that could reasonably be expected  to significantly affect the rights or interests of an individual.  This requirement will not take effect for 24 months however.
• The introduction of a criminal offence for doxing.
• Eligible data breach declarations and information sharing – these are designed to allow limited information sharing following a data breach, in circumstances which would otherwise be in breach of the Privacy Act (such as disclosing information to banks and other institutions for the purpose of enhanced monitoring).
• Clarifications to APP 11 to ensure it is clear that the reasonable steps which entities must take to protect personal information include “technical and organisation measures”.
• The introduction of equivalency decisions under APP 8 to facilitate cross-border transfers of data.

Our previous post, available here, provides further insights regarding these changes.

Whilst the Privacy Act Bill implements some of the recommendations from the Privacy Act Review Report, subsequent tranches of amendments are expected in the next 12-18 months to implement the remaining recommendations.

The Cyber Security Act 2024 (Cth), which received Royal Asset on 29 November 2024, introduces:

• A mandatory ransomware reporting requirement – reports must be made to the Department of Home Affairs if a ransomware payment is paid to an extorting entity. This requirement will be implemented after a 6 month implementation period, and is drafted so as to also capture ransomware payments made on behalf of an entity doing business in Australia.
• A Cyber Review Board which will conduct no-fault, post incident reviews of significant cyber security incidents in Australia.
• A limited use exception –  this prevents information which is voluntarily provided to certain Government departments from being used for enforcement purposes, and is designed to encourage enhanced cooperation between industry and Government during cyber incidents.
• Mandatory security standards for smart devices.

Our previous post, available here, includes further details on cyber security legislative package.

What is the CRA?

The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats.  It is a key element of the EU’s Cybersecurity Strategy for the Digital Decade.

The CRA is designed to fulfil a perceived gap in EU regulation and sets uniform cybersecurity standards for the design, development and production of hardware and software products with digital elements (PDEs) placed on the EU market – introducing mandatory requirements (e.g. relating to security vulnerabilities, and addressing transparency) for manufacturers and retailers, extending throughout the product lifecycle.  With few exceptions for specific categories, the CRA covers all products connected directly or indirectly to other devices or networks.

Scope of the CRA

The CRA applies to all economic operators of PDEs made available on the EU market. This includes:

• manufacturers (and their authorised representatives);
  
• importers;
  
• distributors; and
  
• any other natural or legal person subject to obligations in relation to the manufacture of PDEs or making them available on the market (including retailers).

The reach of the proposed CRA is broad, covering all PDEs whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

A PDE is defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately” (Article 3(1) CRA).

Remote data processing is defined as “any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions” (Article 3(2) CRA).

Whilst the usual example of in-scope products is smart devices, such as smartphones, this is complicated in respect of software products involving remote data processing solutions: the CRA supporting FAQ indicates that software which forms part of a service rather than a product is not intended to be covered.

It is therefore important to identify how products are provided – as software products with remote data solutions, or software which is part of a service. This analysis will need to take into account how the various ‘features’ making up each product are provided.

Manufacturers are broadly defined as “any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge” (Article 3(13) CRA).

Exceptions:

The CRA excludes from its scope a limited number of products and/or fields which are considered to be already sufficiently regulated, including:

• Products which are in conformity with harmonised standards and products certified under an EU cybersecurity scheme; and
  
• Medical devices, aviation devices, and certain motor vehicle systems/components/technical units, to which existing certification regimes apply.

Obligations of economic operators

The primary objective of the CRA is to address a perception at EU institutional level of a poor level of cybersecurity and vulnerabilities in many software and hardware products on the market. The CRA also aims to address the lack of comprehensive information on the cybersecurity properties of digital products to enable consumers to make more informed choices when buying products. With this in mind, the CRA imposes a large number of obligations upon relevant economic operators, with the majority of obligations falling on “manufacturers” of PDEs.

Key obligations on manufactures under the CRA include:

• When placing a PDE on the EU market, ensuring that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I CRA. The high level requirements set out in Annex 1, Part 1 CRA, include that products with digital elements “shall be designed, developed and produced in such way that they ensure an appropriate level of cybersecurity”, to ensure protection from unauthorised access by appropriate control mechanisms, and protect the confidentiality and integrity of stored, transmitted or otherwise processed data; to be designed, developed and produced to limit attack surface, including external interfaces. These requirements may be clarified as the European Commission is authorised to adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential requirements set out in Annex 1 CRA;
  
• Undertake an assessment of the cybersecurity risks associated with a PDE, taking the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the PDE, with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users;
  
• Document and update the assessment of the cybersecurity risks associated with a PDE and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements;
  
• Exercise due diligence when integrating components sourced from third parties in PDEs and ensure that such components do not compromise the security of the PDE;
  
• Document relevant cybersecurity aspects concerning the PDE, including vulnerabilities and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product;
  
• Put in place compliant vulnerability handling processes, including providing relevant security updates, for the duration of the support period (of, in principle, five years);
  
• Report actively exploited vulnerabilities to the relevant Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA) without undue delay and in any event within 24 hours of becoming aware. The manufacturer must also inform the impacted users of the PDE (and, where appropriate, all users) in a timely manner about an actively exploited vulnerability or a severe incident and, where necessary, about risk mitigation and any corrective measures that they might deploy to mitigate the impact;
  
• Perform (or have performed) a conformity assessment for PDEs to demonstrate compliance with obligations. Depending on the risk classification of the product in question there are different procedures and methods that may be applied, with products considered to be of particular high risk being subject to stricter requirements. The procedures range from internal control measures to full quality assurance, with more stringent provisions introduced for products deemed “critical”, such as web browsers, firewalls, password managers (designated class I) and operating systems, CPUs (designated class II). These products will have to undergo specific conformity assessment procedures carried out by notified third-party bodies. For each of these procedures, the CRA contains checklists with specifications that must all be met in order to successfully pass. Manufactures must also draw up an EU declaration of conformity and affix a CE marking to the product; and
  
• Ensure that PDEs are accompanied by information, such as the manufacturer’s details and point of contact where vulnerabilities can be reported, and detailed instructions for users including how security updates can be installed and how the product can be securely decommissioned.

Importers and Distributors

The above obligations primarily fall upon manufacturers. However importers and distributors of these products are subject to related obligations regarding those processes, including, only placing on the market PDEs that comply with the essential requirements set out under the law; ensuring that the manufacturer has carried out the appropriate conformity assessment procedures and drawn up the required technical documentation; and that PEDs bear the CE marking and is accompanied by required information for users. Where an importer or distributor identifies a vulnerability in a PDE, it must inform the manufacturer without undue delay, and must immediately inform market surveillance authorities where a PDE presents a “significant cybersecurity risk.”

Overlap with other EU Legislation

The CRA FAQ states that the Act aims to “harmonise the EU regulatory landscape by introducing cybersecurity requirements for products with digital elements and avoid overlapping requirements stemming from different pieces of legislation”. The application of the CRA is subject to certain exclusions where relevant PDEs are already covered by certain regulations – such as the NIS2 Directive and the AI Act (which are considered lex specialis to the CRA as lex generalis). In relation to high-risk AI systems, for example, the CRA explicitly provides that PDEs that also qualify as high-risk AI systems under the AI Act will be deemed in compliance with the AI Act’s cybersecurity requirements where they fulfil the corresponding requirements of the CRA. The listed regulations do not include DORA (Regulation 2022/2554), so there is the potential for overlap for those caught by DORA.

However, Article 2(4) CRA indicates that the application of the CRA may be limited or excluded where PDEs are covered by other Union rules laying down requirements addressing some or all of the risk covered by the essential requirements set out in Annex 1 CRA, in a manner consistent with the applicable regulatory framework, and where the sectoral rules achieve the same or a higher level of protection as that provided under the CRA.

The European Commission may also use its powers to adopt delegated acts in order to further clarify such limitations or exclusions, but in the absence of such delegated acts, the scope is somewhat unclear in respect of financial services entities, given the overlap with DORA.

Enforcement

The CRA provides for extensive participation by public authorities. Accordingly, the European Commission, ENISA and national authorities are granted comprehensive market monitoring, investigative and regulatory powers. For cross-border matters, the CRA also addresses the different procedures and principles for these authorities to cooperate with each other if disagreements arise in the interpretation and application of the law.

Authorities are also provided with the power to carry out so-called “sweeps”. Sweeps will be unannounced and coordinated, involving area-wide monitoring and control measures that are intended to provide information as to whether or not the requirements of the CRA are being complied with. It is particularly important to note that sweeps may apparently be carried out simultaneously by several authorities in close coordination, thus enabling the investigation of cross-border matters.

The CRA provides for a phased concept of administrative fines for non-compliance with certain legal requirements, which follows the model of recent European legislation and is intended primarily as a deterrent:

• Breaches of the essential cybersecurity requirements, conformity assessment and reporting obligations may result in administrative fines of up to EUR 15 million or up to 2.5% of annual global turnover, whichever is higher.

• Breaches of the other CRA rules, including requirements to appoint an authorised representative, obligations applicable to importers or distributors, and certain requirements for the EU declaration of conformity, technical documentation and CE marking, may result in administrative fines of up to EUR 10 million or up to 2% of annual global turnover, whichever is higher.

• Organisations which provide incorrect, incomplete or misleading information face administrative fines of up to EUR 5 million or, if the offender is an undertaking, up to 1% of annual turnover.

When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account, including the size and market share of the operator committing the infringement.

Non-compliance with CRA requirements may also result in corrective or restrictive measures, including the Market Surveillance Authorities or the Commission recalling or withdrawing products from the EU market.

As the methods for imposing administrative fines will be left to Member States to implement, there is the risk of significant legal uncertainty in relation to enforcement. Although the CRA specifies certain parameters, in particular criteria for the calculation of administrative fines, the proposed regulation raises concerns with regard to the uniform interpretation and application of the rules on administrative fines throughout the EU.

Next procedural steps

The CRA provides for a phased transition period, with the provisions on notification of conformity assessment bodies (Chapter VI) applying from 11 June 2026, and the reporting obligations for manufacturers taking effect from 11 September 2026. The remaining obligations will come into effect on 11 December 2027.  

The CRA is likely to present significant challenges for many companies. It is important that those entities falling within the scope of the CRA start preparing for its implementation. Manufacturers should assess current cybersecurity measures against the upcoming requirements to identify potential compliance gaps and start planning compliance strategies early, including understanding the requirements relating to conformity assessments; technical documentation; and new incident reporting requirements.

Please reach out to your usual DLA Piper contact if you would like to discuss further.

This article provides an overview of the framework for accessing health data for secondary use under the EHDS. It is based on the compromise text of the EHDS published by the Council of the European Union in March 2024.  

Improving access to health data for the purposes of supporting research and innovation activities is one of the key pillars of the EHDS and offers a potentially significant benefit for life sciences and healthcare companies who are looking for improved access to high-quality secondary use data.

By way of reminder, in general terms the EHDS creates a regime under which organisations may apply to a health data access body (“HDAB“) for access to electronic health data held by a third party, for one of a number of permitted secondary use purposes.  When required to do so by the HDAB, the company holding the health data (the health data holder) must then provide the data to the HDAB in order to satisfy the access request. The EHDS provides for safeguards to protect intellectual property rights and trade secrets, and there is some scope for health data holders to recover costs incurred in making data available.  

In more detail, the process operates as follows:

1. Access to secondary health data

The EHDS stipulates a specific process as well as certain requirements for the access to secondary health data.

In order to get access to secondary health data under the EHDS, the applicant must submit a data access application to the health data access body (“HDAB”). Each Member State must designate an HDAB which is, inter alia, responsible for deciding on data access applications, authorizing and issuing data permits, providing access to electronic health data and monitoring and supervising compliance with the requirements under the EHDS.

Further, the HDAB is responsible for ensuring that data that are adequate, relevant and limited to what is necessary in relation to the purpose of processing indicated in the data access application. The default position is that data will be provided in an anonymized format. However, if the applicant can demonstrate that the purpose of processing cannot be achieved with anonymized data, the HDAB may provide access to the electronic health data in a pseudonymised format.

The data access application must include at least the following:

• The applicant’s identity, description of professional functions and operations, including the identity of the natural persons who will have access to electronic health data;

• Which purposes the access is sought for including a detailed explanation of the intended use and expected benefit related to the use (e.g., protection against serious cross-border threats to health in the public interest, scientific research related to health or care sectors to ensure high levels of quality and safety of health care or medicinal products/devices with the aim of benefitting the end-users, including development and innovation activities for products and services);

• A description of the requested electronic health data, including their scope and time range, format and data sources, where possible, including geographical coverage where data is request from health data holders in several member states;

• A description whether electronic health data need to be made available in a pseudonymised or anonymized format, in case of pseudonymised format, a justification why the processing cannot be pursued using anonymized data. Further, where the applicant seeks to access the personal electronic health data in a pseudonymised format, the compliance with applicable data protection laws shall be demonstrated;

• A description of the safeguards, proportionate to the risks, planned to prevent any misuse of the electronic health data as well as to protect the rights and interests of the health data holder and of the natural persons concerned, including to prevent any re-identification of natural persons in the dataset;

• A justified indication of the period during which the electronic health data is needed for processing in a secure processing environment;

• A description of the tools and computing resources needed for a secure processing environment and, where applicable, information on the assessment of ethical aspects

Where an applicant seeks access to electronic health data from health data holders established in more than one Member State, the applicant must submit a single data access application to the HDAB of the main establishment of the applicant which shall be automatically forwarded to other relevant HDABs.

Also, there is the option to only apply for access to health data in anonymized statistical format with less formal requirements as well as a simplified procedure for trusted health data holders. The European Commission is responsible for creating templates for the data access applications.

• Requirements for the technical infrastructure

The HDAB shall only provide access to electronic health data pursuant to a data permit through a secure processing environment. The secure processing environment shall comply with the following security measures:

• Access to the data must be restricted to the natural persons listed in the data access application;

• Implementation of state-of-the-art technical and organisational measures to minimize the risk of unauthorized processing of electronic health data;

• Limitation of the input of electronic health data and the inspection, modification or deletion of electronic health data to a limited number of authorized persons;

• Ensure that access is only granted to electronic health data covered by the data access application;

• Keeping identifiable logs of access to and activities in the secure processing environment for not shorter than one year to verify and audit all processing operations;

• Monitoring compliance and security measures to mitigate potential security threats.

The HDAB shall ensure regular audits, including by third parties, of the secure processing environments and, if necessary, take corrective actions for any shortcomings or vulnerabilities identified.

• Data protection roles

From a data protection law perspective, the health data holder shall be deemed controller for the disclosure of the requested electronic health data to the HDAB pursuant to Art. 4 No. 1 GDPR. When fulfilling its tasks under the EHDS, the HDAB shall be deemed controller for the processing of personal electronic health data. However, where the HDAB provides electronic health data to a health data user pursuant to a data access application, the HDAB shall be deemed to act as processor on behalf of the health data user. The EU Commission may establish a template for controller to processor agreements in those cases.

• Fees for the access to health data for secondary use

The HDAB may charge fees for making electronic health data available for secondary use. Such fees shall cover all or part of costs related to the procedure for assessing a data access application and granting, refusing or amending a data permit, including the costs related to the consolidation, preparation, anonymization, pseudonymization and provisioning of electronic health data. The fees further include compensation for the costs incurred by the health data holder for compiling and preparing the electronic health data to be made available for secondary use. The health data holder shall provide an estimate of such costs to the HDAB.

Conclusion

The access to electronic health data for secondary use is a big opportunity especially for companies operating in the life science and healthcare sectors to get access to potentially large volumes of high-quality electronic health data for research and product development purposes. Although Chapter IV of the EHDS, which deals with the secondary use of electronic health data, will become applicable 4 years after the EHDS enters into force, companies are well-advised to begin preparation to gain access to electronic health data for secondary use at an early stage in order to gain a competitive advantage and to ensure that they are able to make direct use of the opportunities granted by the EHDS. Such preparation includes, inter alia, the early determination of the specific electronic health data required for the specific purpose the company wants to achieve as well as the set up of an infrastructure which meets the requirements under the

However, plans to amend the PDPO have been put on hold given concerns over the immense economic pressure it may exert on small or nano businesses to comply with the new regulations. The Government could alternatively consider introducing the amendments in a ‘piecemeal approach’ to reduce the impact on local businesses. For now, the Government has no definitive timeline on when the amendments to the PDPO will be introduced and will only provide updates upon developing more concrete proposals. In the meantime, we will continue to monitor for any further details in relation to the Government’s plans to update the PDPO.

The new Labour government first announced plans for a bill in the King’s speech in July. In a notable shift of emphasis from the DPDI Bill, the term ‘data protection’ has been dropped from the title of the Bill.  Reform to the data protection and e-privacy regime is still an important part of the Bill, but arguably secondary to emphasis within the bill on wider data related policy initiatives, focussed on facilitating digital identities and securing access to ‘smart’ or ‘open’ data sets. This is reflected in the Government’s introduction that the new Bill will “harness the enormous power of data to boost the UK economy by £10 billion” and “unlock the secure and effective use of data for the public interest, without adding pressures to the country’s finances“.

Key data protection law changes

The Bill proposes very limited changes to the UK data protection regime. These are targeted and incremental and unlikely to have a material impact on day-to-day compliance for most businesses operating in the UK.

The specific areas of reform proposed include:

• Scientific research definition and broad ‘consent to research’: The DUAB creates a statutory definition of scientific research to help clarify how the various provisions in the UK GDPR which refer to ‘research’ are intended to be applied. The intention is to clarify that ‘scientific research’ can extend to cover research “carried out for commercial or non-commercial activity” and includes any research that “can reasonably be described as scientific”. This replicates similar proposals in the DPDI Bill, which effectively bring into the UK GDPR references that appear in the recitals to the GDPR, that suggest a broad interpretation of “scientific research” should be applied. The DUAB also clarifies that an individual may be able to give consent to their data being used for more than one type of scientific research, even if at the time consent is provided, it is not possible to identify all of those research purposes.
  
• Recognised legitimate interests: The DUAB helpfully introduces the concept of ‘recognised legitimate interests’ to provide a presumption of legitimacy to certain processing activities that a controller may wish to carry out under Article 6(1)(f) (legitimate interests). Again this is a helpful carry over from the DPDI Bill. The DUAB also introduces a new provision requiring any new recognised legitimate interest to be necessary to safeguard an objective listed in Article 23(1) UK GDPR (i.e. public security, the prevention, investigation, detection or prosecution of crime, public health, data subject rights etc.).
  
• Automated Decision Making: The DUAB will remove the requirement to establish a qualifying lawful basis before conducting automated decision making (the requirement currently at Article 21(2) UK GDPR), except where special category data is used. This change is particularly relevant to organisations using AI systems, potentially allowing those organisations to use ADM more widely than under EU GDPR. However, data subjects will still benefit from rights of objection and human intervention, and organisations will still need to carefully assess their use of ADM. 
  
• Special category personal data: The DUAB grants the Secretary of State the authority to designate new special categories of personal data and additional processing activities that fall under the prohibition of processing special category data in Article 9(1) of the UK GDPR. This potentially extends the scope of additional protections afforded by Article 9, beyond the current prescribed list of categories of special category data in the UK GDPR. It is unclear whether the Government anticipates including any additional categories of data under this mechanism in the near term.

• Cookies: The DPDI Bill included a number of reforms to the rules on cookie consent. These have been retained in the DUAB. Businesses will likely find these changes helpful, as they have the effect of easing the consent requirements in some cases and provide greater clarity as to what falls within the “strictly necessary” exemption. One of the more challenging proposals by the previous government – that would have required cookie consent platforms to be centralised (e.g. into browsers) – has been withdrawn.
  
• PECR Enforcement Regime:  The Bill fully aligns the UK GDPR / DPA and PECR enforcement regimes. This effectively increases regulatory exposure under the PECR to potential fines equivalent to the UK GDPR.
  
• International Data Transfers – The DUAB introduces amendments that are designed to clarify the UK’s approach to the transfer of personal data internationally and the UK’s approach to conduct of adequacy assessments. These are technical changes, but notably the EU approach to adequacy anticipates a third country has a regime that is ‘essentially equivalent’ to the EU standard; the DUAB moves away from that to a new threshold that the third country offers safeguards that are ‘not materially lower than’ the UK.
  
• ICO: The DUAB retains the majority of the reforms to the ICO, including the name change to an Information Commission, rather than a Commissioner, introducing a formal Board structure with an appointed CEO. The DUAB also aims to reduce the number of complaints reaching the ICO – by requiring complaints to be made first to the controller, with escalation to the authority only if they are not satisfactorily dealt with.

Which proposed changes have been dropped?

Many of the other reforms to UK data protection law proposed in the DPDI Bill have been dropped.  Notably, the following provisions did not make their way into the new bill:

• The DPDI Bill proposed an expanded definition of ‘personal data’ which would have provided further clarification as to when data is related to an identified or identifiable individual and when it should be considered anonymous. That has been dropped.
  
• The DPDI Bill amended the accountability provisions within the UK GDPR, reducing the burden on smaller businesses to maintain records of processing, or carry out Data Protection Impact Assessments. Those changes have not be carried across. The role of the Data Protection Officer will also remain as is, with the previous proposal to replace the DPO with the concept of a ‘senior responsible individual’ dropped.
  
• The proposal in the DPDI Bill to exempt “vexatious” data subject access requests (in line with the terminology used in freedom of information law) has been discarded. Instead, the existing exemption of “manifestly unfounded or excessive” requests will continue to apply. Helpfully though the DUAB does incorporate a new provision allowing controllers to limit themselves to ‘reasonable and proportionate’ efforts in responding to access requests, a codification of ICO guidance and case law in this area.
  
• The proposal to remove a requirement on non-UK businesses to appoint a representative under Article 27 UK GDPR has been scrapped – the role of the representative in the UK remains for now.
  
• Some of the reform to the ICO has not survived, including the requirement for the ICO to take into account the government’s strategic priorities and some of the changes to the ICO’s enforcement powers.

Smart data schemes and digital identity verification

As noted above, data protection is no longer the main focus of the Bill, with large sections of the Bill set aside to deal with wider digital policy matters, including smart data schemes and certification for digital identity service providers “the Bill will create the right conditions to support the future of open banking and the growth of new smart data schemes” (HM Government).

• Smart data schemes – The DUAB gives the Secretary of State broad powers to make data regulations addressing access to business data and customer data, with sector specific ‘smart data’ regimes. Secondary legislation will follow that sets out much of the important detail here, but the essence of these provisions is to require data holders to provide or otherwise make available datasets, as well as give businesses and individuals the right to request access to those datasets. This is similar to elements of the EU Data Act and EU Data Governance Act at EU level, but goes further as it is not limited to IoT or public sector data. There is also a strong overlap with the European Health Data Space Regulation and the EU FIDA Regulation: promoting access to data for secondary uses and breaking down the barriers that exist between data holders and those persons, whether individuals or businesses, that would like access to data for certain, as yet undefined, purposes.
  
• Digital identity verification – The DUAB will separately establish a framework to facilitate the development of digital verification services. This framework aims to certify organisations that offer identity verification tools in accordance with the government’s trust framework standards. New provisions in the bill grant the Secretary of State the authority to deny certification on national security grounds and mandate that it consults with the Information Commissioner regarding relevant regulations.

What next?

Although the DUAB comes with some bold statements from the Government that it will “unlock the power of data to grow the economy and improve people’s lives“, the proposals represent incremental reform, rather than radical change. There are arguably no big surprises (and perhaps some missed opportunities) with much of the drafting a lighter version of what we saw in earlier drafts of the DPDI Bill, with some of the more innovative elements (around smart data access and use) still unclear as we await the detail of secondary legislation.

We will keep a close eye on the DUAB as it makes its way through Parliament. We expect a relatively smooth passage, given so much has already been through earlier legislative processes , so extensive debate seems unlikely.