The proposals set out in the consultation paper aim to protect UK businesses, citizens, and critical infrastructure from the growing threat of ransomware, by reducing the financial incentives for criminals targeting UK organisations and to improve intelligence and understanding of ransomware to support the overall resilience of the UK’s cyber defences.

Summary of key proposals

The consultation sets out three key proposals:

1. A targeted ban on ransomware payments   – a targeted ban on ransomware payments for all public sector bodies (including local government) and critical national infrastructure (CNI) owners and operators. This proposal goes beyond the current principle that central government departments cannot make ransomware payments – by prohibiting all organisations in the UK public sector from making a payment to cyber criminals in response to a ransomware incident, as well as including CNI owners and operators. This aim of the proposal is to deter criminals by ensuring they cannot profit from attacking essential services. However, the possible impact of this is unclear and the government is seeking input on whether suppliers to such bodies/entities should also be included. The prohibition of ransomware payments by public sector bodies and critical national infrastructure may have a deterrent effect, assuming the threat actors in question are motivated by financial purposes, but a failure to include supply chain would likely simply shift the threat actors’ focus downstream.  However, inclusion of the entire chain could be extremely far reaching, particularly where such vendors provide products/services across multiple sectors.
   
   It is also not clear how this proposal will be enforced in practice and the government is seeking views on appropriate measures to support compliance. The consultation includes a number of possible measures, ranging from criminal penalties (such as making non-compliance with the ban a criminal offence) or civil penalties (such as a monetary penalty or a ban on being a member of a board).                                      

2. A new ransomware payment prevention regime – requiring all victims, including those not within the scope of the ban, to “engage with the authorities and report their intention to make a ransomware payment before paying over any money to the criminals“. After the report is made, the potential victim would receive support and guidance including the discussion of non-payment resolution options. Under the proposals, the authorities would review the proposed payment to see if there is a reason it needs to be blocked (e.g. known terrorist organisations). If the proposed payment is not blocked, it would be a matter for the victim whether to proceed. Input is sought on the best measures for encouraging compliance with this regime, as well as what additional support and/or guidance should be provided – possibly building on existing collaboration between the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).

3. A ransomware incident reporting regime –  a mandatory ransomware incident reporting regime, which could include a threshold-based requirement for suspected victims to report incidents, enhancing the government’s understanding and response capabilities. Input is sought on whether this should be economy wide, or only apply to organisations/individuals meeting a certain threshold. The consultation proposes that organisations will have 72 hours to provide an initial report of the incident and then 28 days to provide the full report. It is unclear how these reporting requirements will align with existing incident reporting obligations, however, the government has stated that the intent is to ensure that “UK victims are only required to report an individual ransomware incident once, as far as possible“.

These proposals, if implemented in their broadest form, will pose a significant challenge for any business impacted by a ransomware incident, requiring mandatory reporting of such incidents, as well as a need to wait for guidance from authorities before making any payments.  This is likely to be particularly problematic where threat actors are imposing deadlines for payment and could lead to significant disruptions to essential services where a ransomware attack has occurred and payment is not possible. The impact of the proposals on organisations not subject to the ban is also unclear, particularly in relation to reporting and disclosure requirements and how these will align with incident/breach notification obligations.

The consultation closes on 8 April 2025.

The majority of the amendments to the Privacy Act 1988 (Cth) will commence the day after the Privacy Act Bill receives Royal Assent, with a few exceptions.

The Privacy Act Bill contains key amendments to the Privacy Act including:

• A statutory tort for serious invasions of privacy – this will only apply (amongst other criteria) where the conduct in question was intentional or reckless, and this section of the Bill will take effect no later than six months after the Act receives Royal Asset.
• The framework for a Children’s Online Privacy Code – this will be developed by the Information Commissioner and will apply to social media platforms and any online services likely to be accessed by children.
• Tiered sanctions for less serious privacy breaches – this includes civil penalties of up to AUD 3.3 million for an “interference with privacy” and lower level fines of up to AUD 330,000 for administrative breaches, such as deficient privacy policies.  The headline penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover, remain for conduct which amounts to a “serious interference with privacy”.
• Requirements to include details of the use of automated decision making into privacy policies, where personal information is used in wholly or substantially automated decision making that could reasonably be expected  to significantly affect the rights or interests of an individual.  This requirement will not take effect for 24 months however.
• The introduction of a criminal offence for doxing.
• Eligible data breach declarations and information sharing – these are designed to allow limited information sharing following a data breach, in circumstances which would otherwise be in breach of the Privacy Act (such as disclosing information to banks and other institutions for the purpose of enhanced monitoring).
• Clarifications to APP 11 to ensure it is clear that the reasonable steps which entities must take to protect personal information include “technical and organisation measures”.
• The introduction of equivalency decisions under APP 8 to facilitate cross-border transfers of data.

Our previous post, available here, provides further insights regarding these changes.

Whilst the Privacy Act Bill implements some of the recommendations from the Privacy Act Review Report, subsequent tranches of amendments are expected in the next 12-18 months to implement the remaining recommendations.

The Cyber Security Act 2024 (Cth), which received Royal Asset on 29 November 2024, introduces:

• A mandatory ransomware reporting requirement – reports must be made to the Department of Home Affairs if a ransomware payment is paid to an extorting entity. This requirement will be implemented after a 6 month implementation period, and is drafted so as to also capture ransomware payments made on behalf of an entity doing business in Australia.
• A Cyber Review Board which will conduct no-fault, post incident reviews of significant cyber security incidents in Australia.
• A limited use exception –  this prevents information which is voluntarily provided to certain Government departments from being used for enforcement purposes, and is designed to encourage enhanced cooperation between industry and Government during cyber incidents.
• Mandatory security standards for smart devices.

Our previous post, available here, includes further details on cyber security legislative package.

Vietnam

Vietnam issued its first draft of a new Personal Data Protection Law (“PDPL”) in September 2024, for public consultation. The PDPL is anticipated to be adopted in May 2025, and it is tentatively scheduled to come into effect on 1 January 2026. The draft PDPL aims to create a more robust framework for data protection in Vietnam by unifying, clarifying, enhancing and supplementing the existing data protection rules set out in Vietnam’s existing Personal Data Protection Decree (“PDPD”). It remains unclear how the PDPD and draft PDPL will work together in practice, although some commentators suggest the PDPL will supersede the PDPD.

In addition to setting out eight personal data protection principles, the draft PDPL focuses on discussing specific compliance requirements for a number of processing activities and industries, including direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance and social media. Key highlights proposed in the draft PDPL include (this is not a comprehensive list):

• Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
• Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
• Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
• Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organisation were the draft PDPL to be implemented.
• Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
• Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organisations could earn trust ratings based on an assessment of their personal data protection practices.
• Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.

Malaysia

Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old (first passed in 2010), and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia. The key amendments are:

• mandatory breach notification;
• mandatory appointment of DPOs;
• direct obligations on data processors;
• data portability rights for data subjects;
• change of “data user” terminology to the more familiar “data controller”;
• expanding sensitive personal data to include biometric data;
• removing rights of deceased individuals re their personal data;
• increased penalties (now fines of up to MYR1,000,000 and/or imprisonment of up to three years); and
• updating the cross-border data transfer framework, to remove the “whitelist” of approved jurisdictions, and instead allowing transfers to jurisdictions with equivalent standards of protection. 

Besides the amendments to the PDPA, the Commissioner will develop guidelines to supplement the PDPA. The guidelines will cover areas including data breach notification, appointment of data protection officer, data portability, cross border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision making.

Indonesia

Finally, a reminder that Law No.27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia’s first omnibus data protection law, came into full effect, after a two-year grace period, on 17 October 2024. For further information about the compliance obligations introduced by the PDP Law, please see our earlier updates Indonesia: prepare now for the new Personal Data Protection Law | Privacy Matters and INDONESIA: Personal Data Protection Law PDPL Now in Force | Privacy Matters.

1. Prepare your communications strategy in advance

A cyber incident can hit any organisation, regardless of size, at any time. The NCSC therefore advocates a proactive strategy ready to be deployed when required, to lessen the impact of the incident.

Steps to consider include:

• Identifying an official spokesperson for the organisation when communicating with stakeholders such as the media, customers and employees.
• Identifying key stakeholders ahead of time. Who needs to be informed, and how will this be achieved (bearing in mind that usual channels may be unavailable)?  
• Drafting and agreeing pre-approved templates for communications. Whilst no one size will fit all, this can include style media requests, internal updates to staff and notifications to customers, to be tailored as necessary. Drafting these templates ahead of time will save time and ensure the organisation is speaking with a unified voice.

The NCSC highlights the importance of regular testing of the strategy, through tabletop exercises and simulations, to ensure its effectiveness and identifying any areas for amendment or improvement.

2. Communicate clearly and tailor your messaging where necessary

The NCSC states that communications should be ‘clear, consistent, authoritative, accessible and timely’. It is also important that any communications released before, during or after a cyber security incident inform stakeholders whilst also maintaining reputation and credibility. Factors to consider include:

• Information to stakeholders needs to be clear, but balanced to ensure that information is not disclosed that may heighten any risk to the victim, or which runs the risk of requiring later retraction as the incident develops. It is essential to ensure the communication strategy suits key stakeholders, and that specific concerns of each group are addressed.
• The impact of the incident should be reflected in communications to those who suffer consequences, with acknowledgment of the practical consequences as opposed to focussing solely on technical detail.
• Development of a Q&A document should be an early priority in incident response: preparation of responses to common stakeholder queries in advance will enable consistency in response and provide assurances that communications address key and recurrent concerns.

3. Manage the aftermath

Finally, NCSC guidance urges organisations to think about the long term. Whilst an immediate response in the aftermath of an incident will be the primary focus consider what the approach is going to be in the weeks and months after, depending on the recovery time. How regularly will you provide updates? How will any incident and subsequent responses be used to inform future preparedness and any lessons learned?

How can we help?

The NCSC guidance provides welcome direction on the expectations on organisations when preparing for and responding to cyber security incident. The key message – in keeping with any cyber resilience strategy is to prepare ahead of time. Increasingly, we are seeing regulators, customers, and other stakeholders taking interest in the controls and procedures that were in place prior to any cyber incident and their fitness for purpose.

Taking time long before the “white heat” of any incident to design, deploy and ensure the continued fitness for purpose of response plans, including communications, is time well spent.

Should you wish to discuss communications response plans, table top exercises, or any other aspects of cyber resilience planning, then please do not hesitate to contact us.

NIS2 is part of the EU’s Cybersecurity Strategy and repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like its predecessor, it establishes measures for a common level of cybersecurity for critical services and infrastructure across the EU and also aims to respond to perceived weakness of NIS1 regime and the needs of increasing digital change. NIS2 establishes harmonised cybersecurity risk management measures and reporting requirements for highly critical sectors. It has a much wider scope than its predecessor – many sectors come under NIS2 for the first time.

Although some Member States such as Croatia, Hungary and Belgium have transposed the directive into national legislation, as the map below demonstrates, the majority of EU countries do not yet have the relevant implementing legislation in place, even less so the broader frameworks and guidance that would equip organisations with the necessary tools to achieve compliance. This will pose difficulties for organisations, especially those with in-scope operations in multiple EU jurisdictions, as they evaluate the scope of their exposure and work towards compliance.

Visit our EU Digital Decade topic hub for further information on NIS2 and the EU’s Cybersecurity Strategy. If you have any questions, please get in touch with your usual DLA contact.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

The key takeaways from the new Bills are summarised below:

Mandatory ransomware reporting

The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.

A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.

A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.

Cyber Review Board

Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.

Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.

Limited Use Exception

A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.

The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.

Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.

The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).

Mandatory security standards for smart devices

The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.

Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.

Security of Critical Infrastructure

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.

The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia. 

The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.

Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.

We will provide further updates once these Bills are passed. 

But in the UK, we are not alone in recognising cyber as one of the most significant threats of our age. In the recitals to NIS2, the EU Commission notes that the “number, magnitude, sophistication, frequency and impact of incidents are increasing and present a major threat to the functioning of network and information systems” with the result that they “impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society“. The EU’s response was to enact a bolstered NIS2 which significantly expands the number of entities directly in scope; includes a focus on supply chains; enhances the powers of enforcement and supervision available to local authorities; steps up incident reporting obligations; and imposes ultimate responsibility for compliance at a senior management level. With DORA, the EU adds another layer of regulation, trumping the requirements of NIS2 for the financial services sector.

So how will the UK’s new Bill compare? Our article looking at the initial indications released by Government to try and answer that question is available here.

Scam Code Act

In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.

This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:

• platforms to verify their advertisers;

• banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;

• carriers to take certain measures to prevent scams being spread by SMS;

• companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and

• all companies to maintain a “scams defence plan” to assist customers.

It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.  

Other cyber security measures  

As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:

• mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;

• creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;

• creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and

• establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.

The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.

1. What is the primary goal of the proposed legislation?

The proposed legislation, as set out in the paper submitted by the Hong Kong Government to the Legislative Council Panel on Security on 25 June 2024, aims to enhance the security of Hong Kong’s CIs that are necessary to maintain  “normal functioning” of Hong Kong society and people’s lives, by minimising the chance of disruption to, or compromise of, essential services by cyberattacks.

2. Who and what will be captured by the proposed legislation?

The proposed legislation would regulate only CI operators (“CIOs”) in respect of their critical computer systems (“CCSs”). Similar to the helpful approach in Mainland China, both CIOs and CCSs will be expressly designated by a new Commissioner’s Office to be set up (or, as explained in Question 6 below, the Designated Authorities for certain groups of organisations). This will ultimately remove uncertainty around whether or not a given organisation is a CIIO, and which of their systems will fall within the CCS framework. However, until such designations are made by the relevant authorities, it does leave significant uncertainty for organisations that may not obviously fall within the definition, especially technology companies.

Designation of CIOs

Under the proposed legislation, an organisation would be designated as a CIO if it were deemed responsible for operating an infrastructure that the Commissioner’s Office determines to be a CI, taking into account the organization’s level of control over the infrastructure. It is proposed that CIs cover the following two categories:

• infrastructures for delivering essential services in Hong Kong, i.e. infrastructures of the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting (“Essential Service Sectors”); and
• other infrastructures for maintaining important societal and economic activities, e.g., major sports and performance venues, research and development parks, etc.

When deciding whether an infrastructure within the scope of the two categories above constitutes a CI, the Commissioner’s Office would take into account:

• the implications on essential services and important societal and economic activities in Hong Kong in case of damage, loss of functionality, or data leakage in the infrastructure concerned;
• the level of dependence on information technology of the infrastructure concerned; and
• the importance of the data controlled by the infrastructure concerned. 

The Government also emphasized that CIOs will mostly be large organisations, and the legislation will not affect small and medium enterprises and the general public. 

The list of the designated CIOs will not be made public to prevent the CIs from becoming targets of cyberattack.

Designation of CCSs

The proposed legislation would only require CIOs to take responsibility for securing the expressly designated CCSs. Systems operated by CIOs but not designated as CCSs would not be regulated by the proposed legislation.

The Commissioner’s Office would only designate as CCSs the computer systems which:

• are relevant to the provision of essential service or the core functions of computer systems; or
• will seriously impact the normal functioning of the CIs if interrupted or damaged.

Importantly, computer systems physically located outside of Hong Kong may also be designated as CCSs.

3. Would organisations have opportunities to object to CIO or CCS designations?

Yes. Under the proposed legislation, before making CIO or CCS designations, the Commissioner’s Office will communicate with organisations that are likely to be designated, with a view to reaching a consensus on the designations. This is helpful, but adds to the recommendation that those potentially caught as a CIO should start planning now to be ready to put forward a clear, reasoned view on whether or not they – and/or all of their systems – should be designated.

After a CIO or CCS designation is made, any operator who disagrees with such designation can appeal before a board comprising computer and information security professionals and legal professionals, etc.

4. What are the obligations of CIOs?

Statutory obligations proposed to be imposed on CIOs under the proposed legislation are classified into three categories:

• Organisational:
  
  • provide and maintain address and office in Hong Kong (and report any subsequent changes);
  • report any changes in the ownership and operatorship of their CIs to the Commissioner’s Office;
  • set up a computer system security management unit, supervised by a dedicated supervisor of the CIO;
    

• Preventive:
  
  • inform the Commissioner’s Office of material changes to their CCSs, including those changes to design, configuration, security, operation, etc.;
  • formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office;
  • conduct a computer system security risk assessment at least once every year and submit the report;
  • conduct a computer system security audit at least once every two years and submit the report;
  • adopt measures to ensure that their CCSs still comply with the relevant statutory obligations even when third party services providers are employed;
    

• Incident reporting and response:
  
  • participate in a computer system security drill organised by the Commissioner’s Office at least once every two years;
  • formulate an emergency response plan and submit the plan; and
  • notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCSs within (a) 2 hours after becoming aware of serious incidents and (b) 24 hours after becoming aware of other incidents.
    

5. What would be the offences and penalties under the proposed legislation?

The offences under the proposed legislation include CIOs’ non-compliance with:

• statutory obligations;
• written directions issued by the Commissioner’s Office;
• investigative requests of the Commissioner’s Office; and
• requests of the Commissioner’s Office for relevant information relating to a CI.

The penalties for these offences would consist exclusively of fines. The level of fines would be determined by court trials, with maximum fines ranging from HK$500,000 to HK$5 million. For certain offences, persistent non-compliance would result in additional daily fines of HK$50,000 or HK$100,000 per day.

It is noteworthy that a CIO will still be held liable for the non-compliance with its statutory obligations if the non-compliance is caused by a third-party service provider. As such, service providers should also start planning now as to whether or not their customer base may be designated CIOs and, if so, what consequences this may have on contractual service obligations, incident notification obligations, security standards/specifications, SLAs, powers of investigation/inspection (including by regulators) and liability/indemnity provisions (including financial caps and exclusions). We anticipate CIOs will expect higher standards from their service providers in advance of the new regulations being introduced.

6. Which authorities would enforce the proposed legislation, and what would their powers be?

Commissioner’s Office

A Commissioner’s Office is proposed to be set up under the Security Bureau to implement the proposed legislation, headed by a Commissioner appointed by the Chief Executive. Its powers would include:

• designating CIOs and CCSs;
• establishing Code of Practice for CIOs;
• monitoring computer system security threats against CCSs;
• assisting CIOs in responding to computer system security incidents;
• investigating and following up on non-compliance of CIOs;
• issuing written instructions to CIOs to plug potential security loopholes; and
• coordinating with various government departments in formulating policies and guidelines and handling incidents.

Among these powers, the most significant might be the investigative powers granted to the Commissioner’s Office. Specifically, in respect of investigations on security incidents, the Commissioner’s Office would have, among others, the powers to:

• question and request information from CIOs;
• direct CIOs to take remedial actions; and
• check the CCSs owned or controlled by CIOs with their consent or with a magistrate’s warrant.

In respect of investigations on offences, it would have the powers to:

• question and request information from any person who is believed to have relevant information in his or her custody; and
• enter premises and take possession of any relevant documents with a magistrate’s warrant.

From a service provider perspective, these powers will likely extend – either directly or more likely via contractual flow down – from CIOs to their service providers. As such, again service providers may need to revisit their customer contracts in this regard.

Designated Authorities

Existing regulators of certain Essential Service Sectors which already have a comprehensive regulatory framework, such as a licensing regime in the financial services and telecoms sectors, may be designated as designated authorities (“Designated Authorities”) under the proposed legislation. The Designated Authorities would be responsible for designating CIOs (and CCSs) among the groups of organisations under their supervision and for monitoring such CIOs’ compliance with the organisational and preventive obligations. It is currently proposed to designate the Monetary Authority and the Communications Authority as the Designated Authorities for the banking and financial services sector and the communications and broadcasting sector respectively. The Commissioner’s Office, on the other hand, would remain responsible for overseeing the incident reporting and response obligations of, and retain the power to issue written directions to, such CIOs. It is hoped that the interaction between the Designated Authorities and the Commissioner’s Officer will be clearly defined when it comes to practicalities before the new framework is finalised.

7. How does the proposed legislation compare to critical infrastructure cybersecurity laws in other jurisdictions?

In formulating the proposed legislation, the government made reference to the legislation of other jurisdictions on critical infrastructure protection, including the United Kingdom, Australia, the United States, the European Union, Singapore, Mainland China and Macao SAR. For instance, the designation-based framework envisaged by the legislation mirrors Australia’s regulatory approach to systems of national significance under the Security of Critical Infrastructure Act 2018. Moreover, many obligations of the CIOs, such as those in respect of security risk assessments, audits and drills, have corresponding counterparts in the cybersecurity legislation of jurisdictions like Mainland China and Singapore. The investigative powers of the regulator to request information, access documents and enter premises can also be found in foreign legislation, including the UK’s Network and Information Systems Regulations 2018 and Singapore’s Cybersecurity Act 2018.

There are, however, technical nuances between similar mechanisms under the proposed legislation and existing laws in other jurisdictions. For instance, the proposed legislation requires organisations to report non-serious security incidents within 24 hours of becoming aware of them, providing greater flexibility compared to Singapore’s requirement of reporting all security incidents affecting critical information infrastructure within two hours of awareness.  

8. What are the next steps for the proposed legislation?

The proposed legislation is expected to be tabled in the Legislative Council by the end of 2024. Once passed, the Commissioner’s Office will be established within a year, and the law will come into effect around six months thereafter. This, therefore, gives a critical planning period until mid-2026 for organisations which may be designated CIOs and their services providers.

9. What must organisations do in light of the proposed legislation?

It is hopes that the uncertainty around some critical issues, including the scope of the Essential Service Sectors (particularly the information technology sector), the specific criteria to distinguish CIs among the Essential Service Sectors, and the threshold for “serious” security incidents, will be resolved as the proposed legislation passes through the public consultation and the usual legislative process. 

Organisations should closely monitor the development of the proposed legislation, develop an internal position on their designation (or their customers’ designation, in the case of service providers, as a CIIO and systems as CCS, and prepare to advocate/lobby for their position once the designation communications commence, and monitor and update their cybersecurity measures and procedures and contracts.