Loading More Content
Cybersecurity touches us all. Whether you’re browsing on your PC, making a purchase, withdrawing cash, or receiving medical treatment, each of us is affected when our own cyber defences, or those of companies or the government, are breached. This is because so much of our day-to-day activity and critical national infrastructure relies on computers, which, as a result, accumulate and store data that represents a value to criminals, whether that’s your medical history, your bank details, or even just your shopping habits. Understandably, businesses try to protect these details, not only because they are legally compelled to, but because by being held to ransom for them they can also suffer great financial and reputational losses as a result. Given the considerable increase in such cyber-attacks in recent years, the British government has tried to prevent their recurrence through the introduction of, for example, the Data Protection Act (2018), the Network and Information Systems Regulations (2018), and the Cyber Security and Resilience Bill (2025). This article will delve further into these, looking at their aims, remits and effects, in addition to addressing what you as a lawyer need to know about this fast-moving area of law.
The short answer is digital systems, data, and infrastructure – both corporate and personal. In our increasingly connected world, it has now become easier than ever to surrender, either intentionally or accidentally, personal and commercial data through everyday interactions, whether through conducting business or leading life in the modern world. As such, the potential for our private information to be stolen, misused, or exposed has never been greater. The overriding objective of cybersecurity laws is to safeguard this information and prevent it from being misused or misappropriated by cybercriminals. To achieve this, a dominant area of focus for the laws is the bolstering of business resilience and national security by mandating the implementation of preventative security measures, such as so-called Cyber Essentials (user-access controls, malware protection, secure configuration, firewalls, and security update management). By insisting on such measures, the government can ensure greater economic stability, protect critical national infrastructure (e.g. energy grids, transport systems, healthcare services, and water supply), and ensure personal and commercial data are secure. We will now have a look at some of the ways the government has tried to achieve this through legislation and explore the potential consequences businesses may encounter if they fail to implement the guidance.
The aim of this Act is twofold: to empower ‘data subjects’ (individuals) and to support organisations with regard to the protection of personal data. It does this by implementing and supplementing the EU’s General Data Protection Regulation (GDPR). Any person or company that handles the personal data of others is responsible for the careful and conscientious treatment of it. Under this Act, individuals are granted the right to know what information is held about them and to request access to it. In handling data, organisations, whether public or private, need to follow data protection principles that mandate the fair, secure, and lawful use of personal data. These principles are enforced by the Information Commissioner’s Office (ICO), and penalties for non-adherence range from formal warnings and injunctions to the suspension or revocation of processing rights and considerable fines (up to £17.5 million or 4% of global turnover). Over and above these fixed sanctions, commercial enterprises should also be attuned to the reputational risk, loss of profit, and limited growth that can arise from the mishandling of personal data or its loss through cyberattacks.
This legislation establishes cybersecurity requirements for Operators of Essential Services (OES), such as health, transport, energy, water, and digital infrastructure companies, as well as for Digital Service Providers (DSPs), for example those operating cloud computing, search engines, and online marketplaces. The regulations aim to bolster companies’ cyber resilience, prevent cyber hacking incidents through better detection and reporting methods, and improve the security of the digital economy. An example of such a regulation is the obligation to report an ‘incident’ (e.g. a data breach) to the relevant Competent Authority (CA) and the National Cyber Security Centre (NCSC) within 72 hours of becoming aware of it. As with the Data Protection Act (2018), there are penalties for non-compliance that are enforced by the Competent Authorities that regulate each sector. These penalties range from being issued with an information notice (requesting further details) or enforcement notices to penalties of up to £17 million. Consequently, companies are compelled to invest in better cyber security defence measures, more secure digital supply chains, and to train personnel so they are equipped to deal with potential incidents and the reporting thereof.
This was introduced at the end of 2025 to the House of Commons, with potential enactment due in 2026. In essence it aims to update and expand existing cyber laws and regulations, for example by widening the scope of the NIS Regulations (2018) to include unregulated sectors such as Managed Service Providers, Relevant Digital Service Providers, and Data Centre Operators. It also encompasses Critical Suppliers that regulators can nominate as being particularly crucial components of national infrastructure. It will bring in stricter incident reporting by requiring initial notification within 24 hours of awareness and a full report within 72 hours; it will allow the imposition of daily penalties of up to £100,000 per day for non-compliance and grant the Secretary of State powers to issue National Security Directions to avert imminent threats, for example by isolating high-risk systems.
The most fundamental point to take away from this area of the law is how increasingly important cybersecurity legislation is becoming for individuals, businesses, and the country at large, and why the government is so keen to legislate here. By way of illustration, in 2024 the medical test management group Synnovis had 400 GB of patient data stolen and was held to ransom for $50 million; as the ransom was not paid, this personal data was then exposed on the internet. Several NHS trusts, many hospitals, and thousands of appointments were affected, which had a serious impact on citizens’ health and lives. You can read more about that attack here. In light of this, you should ensure you are fully aware of the gravity of the impact of cyber-attacks on businesses, government infrastructure, and individuals’ lives, and be aware of what legislation and organisations such as the NCSC aim to achieve in this domain.
The types of question that could arise in a commercial law interview in this area are, for example:
Before any interview or application that might touch on cybersecurity law, you should make sure you’re well-acquainted with the relevant directions, regulations and legislation, and how they apply to both businesses and individuals; the websites of the NCSC and the government are great places to start. Additionally, you should take a look at some of the other free resources available at The Lawyer Portal, such as the informative blogs and guides on other related and relevant topics such as the government’s infrastructure plans and the GDPR.
Loading More Content