Reed Smith Client Alerts

Key takeaways

  • If your organisation falls within the scope of the new cybersecurity laws, your incident response policies will need to be updated.
  • Clarify when the thresholds for notifying security breaches will be met under the new laws and the new timelines for notification.
  • Businesses must train personnel and carry out desktop incident response exercises to ensure all compliance procedures work seamlessly around services that are within the scope of new cybersecurity laws.
  • Update your due diligence processes for selecting third-party service providers that will meet new cybersecurity standards imposed by new laws.
  • Update your contracts with third-party service providers to ensure they implement new cybersecurity standards and notify about the relevant security breaches to ensure your organisation’s compliance with new cybersecurity laws.

If you are subject to the new cybersecurity laws, it is time to update your incident response policies as the criteria for determining which cyber incidents to report to regulatory authorities or customers are changing. The graph below shows the changes to the notification obligation.

Existing obligation to report an incident

First, the graph shows the existing legal obligation to report an incident under the General Data Protection Regulation (GDPR) in the EU and the UK if it involves the personal data of individuals.

New obligations to report an incident

It also shows how the incident notification obligations under the new cybersecurity laws will affect organisations located or providing services in the EU that are (a) providing essential or important services under the Second Network and Information Security Directive (NIS2 – see our summary of the obligations) and/or (2) designated as critical entities under the Critical Entities Resilience Directive (CER – see a summary of the obligations).

Industry-specific requirements to report incidents

There are also new industry-specific requirements in relation to cybersecurity measures and incident responses. For example, both the EU and the UK require financial services organisations to implement operational resilience (including cyber resilience) measures under, respectively, the EU Digital Operation Resilience Act (DORA – see our updates) and the operational resilience rules published by the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) (PRA/FCA – see our summary).