In a recent update from the Secretary of State for the Department for Science, Innovation and Technology (found here, Cyber security and resilience policy statement – GOV.UK), the UK Government has started to address some of this anticipation, dropping clues as to how the CS&R Bill will look when compared to its European cousin. So, what have we learnt about the Bill and its alignment with NIS2?

Expanded scope

In addition to the current in-scope sectors (energy, transport, health, drinking water supply and distribution, and digital infrastructure, as well as some digital services such as online marketplaces, search engines and cloud computing), the policy statement confirms the intention to bring Managed Service Providers (“MSPs“) within the remit of cyber security regulation, subjecting them to the same duties as ‘relevant digital service providers’ under the current NIS regulations. MSPs (also regulated by NIS2) are B2B services that provide IT systems, infrastructure and network support.

The Government also demonstrated its commitment to bolster supply chain security for operators of essential services (“OES“) and relevant digital service providers (“RDSPs“) that meet certain thresholds. Secondary legislation is intended to be used as a vehicle for imposing stricter duties on contractual requirements, security checks and continuity plans in an effort to target underlying cyber vulnerabilities in supply chains echoing, if not exceeding the requirements of NIS2 to ensure cybersecurity controls extend to the supply chains of in-scope entities. Additionally, regulators will have the power to identify suppliers of critical services (including SMEs) whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers” (“DCS“), bringing them within scope of core security requirements and reporting obligations.

While expansion of the UK’s cybersecurity regime to include MSPs and critical supply chains will bring us one step closer to the reforms sweeping EU nations, it is unclear whether the UK will follow Europe in expanding the scope of cyber regulation to include sectors such as public administration entities, space, manufacturing, food production and postal and courier services (to name but a few).

Regulatory reinforcement

Perhaps amongst the measures most easily associable with the CS&R Bill’s European counterpart will be the updated incident reporting criteria. Incidents that are “capable of having a significant impact on the provision of essential or digital services and that significantly affect the confidentiality, availability, and integrity of a system” will need to be reported. This closely follows the requirements found in Art 23 of NIS2, as does the requirement that entities such as data centres and those providing digital services will be obligated to report incidents directly to customers in certain instances.

Equally alike in their resemblance to NIS2 are the reporting deadlines, with the relevant regulator and National Cyber Security Centre (“NCSC“) to be notified of significant incidents within 24 hours, and further incident reports to be provided within 72 hours. As the policy statement makes clear, “in practice [the Government] intends this procedure to be similar to, and no more onerous, than the… NIS2 directive“.

To provide some steer to regulators in their additional duties, the Government aims to issue a code of practice setting out guidance on minimum regulatory requirements which will put the existing NCSC Cyber Assessment Framework (CAF) profiles on a firmer footing and extend their scope to include OES. Particular focus is also given to the UK Information Commissioner (“ICO“) as a national guardian of cyber security, with a raft of seemingly familiar powers relating to registration and notice requirements, information sharing and enforcement, being introduced to support risk identification and mitigation. This all comes with a boost in financial means, as regulators will be able to set fees regimes and recover costs through various measures in order to contribute to financing their increase in regulatory work.

Measures to keep on your radar

Despite not confirming their inclusion in the CS&R Bill, the Government flagged upcoming measures to keep an eye on. Most notable would be the classification of data centres as an essential service, bringing them within scope of the regulatory framework and aligning with NIS2’s approach. This has been contemplated since their designation as Critical National Infrastructure in September 2024 and would aim to strengthen the level of consistency and protection across the sector.

Other contemplated measures include bolstered powers for the Secretary of State, allowing a Statement of Strategic Priorities to be issued as well as powers of direction relating to entities and regulators. Collectively, these would allow the Government to require certain actions be taken to address significant incidents and threats to national security.

Conclusion

In summary, it is clear that the Government’s planned amendments to the current NIS Regulations will make clear and decisive steps to bridge UK cyber laws and the new European NIS2 regime. However, the CS&R Bill does not appear to be following NIS2 in expanding the reach of its reforms to a raft of new industries. While Managed Service Providers are the biggest industry to whom new UK laws will apply, it is likely that many of the industries new to the NIS2 regime – for example food producers and chemicals manufacturers – will remain beyond the UK’s cyber reforms. Only time will tell whether that remains the case when the fully-formed Bill hits the statute books, the timing of which is still unclear.

From the little we do know however, it is evident that the burden and application of cyber regulation together with accompanying cyber certifications and industry standards will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Only then can businesses be ready for the inevitable swathe of new cyber regulation hitting UK shores, as well as the very real cyber threat it is all aimed at combatting.

The new Labour government first announced plans for a bill in the King’s speech in July. In a notable shift of emphasis from the DPDI Bill, the term ‘data protection’ has been dropped from the title of the Bill.  Reform to the data protection and e-privacy regime is still an important part of the Bill, but arguably secondary to emphasis within the bill on wider data related policy initiatives, focussed on facilitating digital identities and securing access to ‘smart’ or ‘open’ data sets. This is reflected in the Government’s introduction that the new Bill will “harness the enormous power of data to boost the UK economy by £10 billion” and “unlock the secure and effective use of data for the public interest, without adding pressures to the country’s finances“.

Key data protection law changes

The Bill proposes very limited changes to the UK data protection regime. These are targeted and incremental and unlikely to have a material impact on day-to-day compliance for most businesses operating in the UK.

The specific areas of reform proposed include:

• Scientific research definition and broad ‘consent to research’: The DUAB creates a statutory definition of scientific research to help clarify how the various provisions in the UK GDPR which refer to ‘research’ are intended to be applied. The intention is to clarify that ‘scientific research’ can extend to cover research “carried out for commercial or non-commercial activity” and includes any research that “can reasonably be described as scientific”. This replicates similar proposals in the DPDI Bill, which effectively bring into the UK GDPR references that appear in the recitals to the GDPR, that suggest a broad interpretation of “scientific research” should be applied. The DUAB also clarifies that an individual may be able to give consent to their data being used for more than one type of scientific research, even if at the time consent is provided, it is not possible to identify all of those research purposes.
  
• Recognised legitimate interests: The DUAB helpfully introduces the concept of ‘recognised legitimate interests’ to provide a presumption of legitimacy to certain processing activities that a controller may wish to carry out under Article 6(1)(f) (legitimate interests). Again this is a helpful carry over from the DPDI Bill. The DUAB also introduces a new provision requiring any new recognised legitimate interest to be necessary to safeguard an objective listed in Article 23(1) UK GDPR (i.e. public security, the prevention, investigation, detection or prosecution of crime, public health, data subject rights etc.).
  
• Automated Decision Making: The DUAB will remove the requirement to establish a qualifying lawful basis before conducting automated decision making (the requirement currently at Article 21(2) UK GDPR), except where special category data is used. This change is particularly relevant to organisations using AI systems, potentially allowing those organisations to use ADM more widely than under EU GDPR. However, data subjects will still benefit from rights of objection and human intervention, and organisations will still need to carefully assess their use of ADM. 
  
• Special category personal data: The DUAB grants the Secretary of State the authority to designate new special categories of personal data and additional processing activities that fall under the prohibition of processing special category data in Article 9(1) of the UK GDPR. This potentially extends the scope of additional protections afforded by Article 9, beyond the current prescribed list of categories of special category data in the UK GDPR. It is unclear whether the Government anticipates including any additional categories of data under this mechanism in the near term.

• Cookies: The DPDI Bill included a number of reforms to the rules on cookie consent. These have been retained in the DUAB. Businesses will likely find these changes helpful, as they have the effect of easing the consent requirements in some cases and provide greater clarity as to what falls within the “strictly necessary” exemption. One of the more challenging proposals by the previous government – that would have required cookie consent platforms to be centralised (e.g. into browsers) – has been withdrawn.
  
• PECR Enforcement Regime:  The Bill fully aligns the UK GDPR / DPA and PECR enforcement regimes. This effectively increases regulatory exposure under the PECR to potential fines equivalent to the UK GDPR.
  
• International Data Transfers – The DUAB introduces amendments that are designed to clarify the UK’s approach to the transfer of personal data internationally and the UK’s approach to conduct of adequacy assessments. These are technical changes, but notably the EU approach to adequacy anticipates a third country has a regime that is ‘essentially equivalent’ to the EU standard; the DUAB moves away from that to a new threshold that the third country offers safeguards that are ‘not materially lower than’ the UK.
  
• ICO: The DUAB retains the majority of the reforms to the ICO, including the name change to an Information Commission, rather than a Commissioner, introducing a formal Board structure with an appointed CEO. The DUAB also aims to reduce the number of complaints reaching the ICO – by requiring complaints to be made first to the controller, with escalation to the authority only if they are not satisfactorily dealt with.

Which proposed changes have been dropped?

Many of the other reforms to UK data protection law proposed in the DPDI Bill have been dropped.  Notably, the following provisions did not make their way into the new bill:

• The DPDI Bill proposed an expanded definition of ‘personal data’ which would have provided further clarification as to when data is related to an identified or identifiable individual and when it should be considered anonymous. That has been dropped.
  
• The DPDI Bill amended the accountability provisions within the UK GDPR, reducing the burden on smaller businesses to maintain records of processing, or carry out Data Protection Impact Assessments. Those changes have not be carried across. The role of the Data Protection Officer will also remain as is, with the previous proposal to replace the DPO with the concept of a ‘senior responsible individual’ dropped.
  
• The proposal in the DPDI Bill to exempt “vexatious” data subject access requests (in line with the terminology used in freedom of information law) has been discarded. Instead, the existing exemption of “manifestly unfounded or excessive” requests will continue to apply. Helpfully though the DUAB does incorporate a new provision allowing controllers to limit themselves to ‘reasonable and proportionate’ efforts in responding to access requests, a codification of ICO guidance and case law in this area.
  
• The proposal to remove a requirement on non-UK businesses to appoint a representative under Article 27 UK GDPR has been scrapped – the role of the representative in the UK remains for now.
  
• Some of the reform to the ICO has not survived, including the requirement for the ICO to take into account the government’s strategic priorities and some of the changes to the ICO’s enforcement powers.

Smart data schemes and digital identity verification

As noted above, data protection is no longer the main focus of the Bill, with large sections of the Bill set aside to deal with wider digital policy matters, including smart data schemes and certification for digital identity service providers “the Bill will create the right conditions to support the future of open banking and the growth of new smart data schemes” (HM Government).

• Smart data schemes – The DUAB gives the Secretary of State broad powers to make data regulations addressing access to business data and customer data, with sector specific ‘smart data’ regimes. Secondary legislation will follow that sets out much of the important detail here, but the essence of these provisions is to require data holders to provide or otherwise make available datasets, as well as give businesses and individuals the right to request access to those datasets. This is similar to elements of the EU Data Act and EU Data Governance Act at EU level, but goes further as it is not limited to IoT or public sector data. There is also a strong overlap with the European Health Data Space Regulation and the EU FIDA Regulation: promoting access to data for secondary uses and breaking down the barriers that exist between data holders and those persons, whether individuals or businesses, that would like access to data for certain, as yet undefined, purposes.
  
• Digital identity verification – The DUAB will separately establish a framework to facilitate the development of digital verification services. This framework aims to certify organisations that offer identity verification tools in accordance with the government’s trust framework standards. New provisions in the bill grant the Secretary of State the authority to deny certification on national security grounds and mandate that it consults with the Information Commissioner regarding relevant regulations.

What next?

Although the DUAB comes with some bold statements from the Government that it will “unlock the power of data to grow the economy and improve people’s lives“, the proposals represent incremental reform, rather than radical change. There are arguably no big surprises (and perhaps some missed opportunities) with much of the drafting a lighter version of what we saw in earlier drafts of the DPDI Bill, with some of the more innovative elements (around smart data access and use) still unclear as we await the detail of secondary legislation.

We will keep a close eye on the DUAB as it makes its way through Parliament. We expect a relatively smooth passage, given so much has already been through earlier legislative processes , so extensive debate seems unlikely.

But in the UK, we are not alone in recognising cyber as one of the most significant threats of our age. In the recitals to NIS2, the EU Commission notes that the “number, magnitude, sophistication, frequency and impact of incidents are increasing and present a major threat to the functioning of network and information systems” with the result that they “impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society“. The EU’s response was to enact a bolstered NIS2 which significantly expands the number of entities directly in scope; includes a focus on supply chains; enhances the powers of enforcement and supervision available to local authorities; steps up incident reporting obligations; and imposes ultimate responsibility for compliance at a senior management level. With DORA, the EU adds another layer of regulation, trumping the requirements of NIS2 for the financial services sector.

So how will the UK’s new Bill compare? Our article looking at the initial indications released by Government to try and answer that question is available here.

Between 10 January and 3 March 2023, SkyBet’s website dropped third-party AdTech cookies to visitors’ browsers before visitors could accept or reject them via a cookie banner. As a result, the visitors’ personal data (e.g., device information and unique identifiers) was shared automatically with third-party AdTech companies without visitors’ consent or a lawful basis. The cookies were deployed to allow advertising to be placed on other websites viewed by the visitor.

Whilst the ICO found no evidence of deliberate misuse of personal data to target vulnerable gamblers, it reprimanded SkyBet because it processed personal data in a way that was not lawful, transparent or fair.

This reprimand forms part of the ICO’s wider strategy to ensure that individuals’ rights and freedoms are respected. The ICO has recently reviewed the UK’s most-visited 100 websites and contacted more than half to warn of enforcement action. Many are reported to have implemented improvements, such as displaying a “reject all” button or presenting “accept all” and “reject all” options on an equal footing.

The ICO intends to assess the next 100 most-frequented websites and urges all organisations to assess their cookie banners to ensure freely given consent may be given. The ICO also intends to publish guidance on cookies and tracking technology before the end of the year.

DLA Piper advises all businesses on cookie compliance and is currently engaged by several businesses operating in the AdTech ecosystem, on assessing risk exposure and responding to ICO engagement. Should you wish to discuss this further, please reach out to your regular DLA Piper contact, or the authors of this blog.

In order to capture the benefits of data-driven innovation, the EU and the UK are taking action to facilitate data sharing across various industries.

In the EU, the European Commission is investing €2 billion to foster the development of so-called “common European data spaces” and the associated digital infrastructure. The UK government has announced similar, mainly policy, initiatives regarding the establishment of data-sharing frameworks, referred to as smart data schemes.

Despite the shared objectives, differences emerge between the EU and UK approaches, raising questions about alignment, implementation efficiency and market dynamics.

In this article, DLA Piper:

• Explores the concepts of data spaces and data schemes, and the policy objectives behind them.
• Gives an overview of the emerging rules that will be part of the foundation of these data-sharing frameworks in the EU and the UK.
• Examines what can be expected from these initiatives and what hurdles still need to be overcome in order to secure successful implementation.

The article is available here.

Since the introduction of the ICO’s Children’s code of practice in 2021, the ICO has been working with online services to improve privacy protections for children and has placed it at the top of its agenda of priorities for 20245/2025. The new Children’s Code Strategy aims to build on this progress and sets out the priority areas social media and video-sharing platforms need to improve on. In particular, the Children’s Code Strategy will focus on: default privacy and geolocation settings; profiling children for targeted advertisements; and using children’s information in recommender systems. 

Similarly, Ofcom has also issued a new Children’s Safety Code which imposes new duties on services that can be accessed by children, including social media sites and apps and search engines. Firms must assess the risk their service poses to children and then implement safety measures to mitigate those risks. In addition, Ofcom has published its consultation on protecting children from harms online, which focusses on proposals for how internet services that enable the sharing of user-generated content (‘user-to-user services’) and search services should approach their new duties relating to content that is harmful to children.

Both regulators recognise that there are strong synergies and also tensions between online safety and privacy and have therefore committed to work together where their remits intersect. It will be fundamental to effective regulation that comprehensive protection is afforded to online users and clarity is given to providers of online services to ensure they can navigate the changing legal landscape with “regulatory clarity and free from undue burden.”[1]

In this vein, both regulators issued a joint statement earlier this month setting out “collaboration themes” where they will “work together on areas of mutual interest to achieve a coherent approach to regulation”. These themes will be continuously monitored and subject to change as new priorities emerge, but the joint statement has highlighted the following indicative illustrative examples of such collaborative themes:

• Age Assurance – the range of approaches used to estimate or establish the age of users to put in place protections appropriate to age or mitigate risk of harms arising from processing children’s personal data.
  
• Recommender systems – the use of algorithms to curate and determine the ranking of content to online users based on their characteristics, inferred interests and behaviour.
  
• Proactive tech and relevant AI tools – this refers to a range of technology which may be able to analyse and assess whether content of a particular kind; assessment of patterns of online behaviour; or user profiling technology.
  
• Default settings and geolocation settings for child users – For children’s data, settings must be high privacy by default with geolocation switched off, unless there is a compelling reason to do otherwise.
  
• Online safety privacy duties – duties under the ODA require online service providers to have regard to protecting users from a breach of statutory provisions/ rules of law concerning privacy when deciding on safety measures.
  
• Upholding terms, policies and community standards – Services must publish clear and accessible terms of service and must uphold them.

The statement has also outlined proposed ways of working together which include identification of companies of mutual interest – where companies or services are subject to both the online safety and data protection regimes, and are of current regulatory interest to both the ICO and Ofcom, the regulators may routinely share information between each other relating to generic information concerning information requests on online safety matters (but not the content of the requests); stakeholder meetings; or publicly available information which may be of interest to each other.

With increasing numbers of children spending their time online, children’s safety will continue to be a focus for regulators, both in the UK and globally. The focus for application of both regimes is not whether the online service actively allows children on the site or actively collects children’s data, but whether, in practice, the service is likely to be accessed by children. Two key principles which are common to both are transparency – to be clear to users whether, and how you process their information and which kinds of potentially harmful content a service may allow; and accountability – conducting risk assessments, implementation of safety measures and safeguards to protect children and keep such assessments under periodic review. It is therefore critical for organisations to establish whether your online services may fall within the scope of data protection law, the Online Safety Act, or both and to develop appropriate compliance frameworks accordingly.

Should you wish to discuss any matter contained within this article, please get in touch with your usual DLA Piper contact.

[1] From previous joint statement published in November 2022

Background

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Regulations) are the first set of regulations enacted under the Product Security and Telecommunications Infrastructure Act 2022 (Act).  The Act is a key pillar of the UK government’s cyber security strategy and can be compared with the EU’s pending Cyber Resilience Act, which similarly looks to impose cybersecurity standards for digital products.

Scope

The Regulations create requirements for ‘relevant connectable products’ which are ‘made available to consumers’ in the UK.   This encompasses both internet-connected products, as well as devices that connect to such products (‘network connectable products’), where these are sold, or otherwise provided (e.g., as a prize or free giveaway), by a business to a consumer.  The Regulations will also apply to foreign manufactured products that are put on the market in the UK.

Importantly, under Schedule 3 to the Regulations, certain products that are subject to existing safety regimes are exempt.  These include medical devices, computers (other than those intended exclusively for children under 14) and smart meters.

Relevant requirements

The Regulations impose minimum security requirements on the manufacturers of connected products.  These are detailed in Schedule 1 to the Regulations and in outline are:

1. Passwords  – these must be unique per product or capable of being defined by the user of the product.  
   
2. Information on how to report security issues  – the manufacturer must provide clear information about how to report product related security issues. Acknowledgment of the receipt of a report and status updates must also be provided. 
   
3. Information on minimum security update periods  – information about the security update cycle for the product must be provided in a way that is understandable for a reader without prior technical knowledge.  

Manufacturers will need to produce (and importers will need to retain) a statement of compliance attesting to the products compliance with the security requirements.

Enforcement

In cases of non-compliance, the Act provides the Secretary of State with a range of enforcement powers.  These include mandatory product recalls, stop notices and fines of up to £10m or 4% of worldwide revenue.