CyberScotland Week: Cyber Security Reforms

As part of CyberScotland Week, the regulatory risk and compliance team examine potential cyber security reforms and how they could impact on organisations’ compliance practices.

1 March 2024

Man typing at keyboard on laptop with cyber security icon overlays

Cyber security should be a top priority for all organisations, no matter the size. Our previous articles in our CyberScotland Week series looked at cyber security risk assessments and the required regulations for cyber security in the energy sector

This article explores potential reforms in the cyber security sector and how these may impact businesses and other organisations.

Proposals for reform

There are a number of proposed legal reforms that could change how cyber security is governed. The UK government published their National Cyber Strategy in 2022 which outlaid the cyber challenges (and proposed solutions) facing the UK, highlighting cyber-attacks on hospitals, key infrastructure, and businesses. 

Reform of the Computer Misuse Act 1990

The Home Office published a consultation on 7 February 2023 in relation to potential reforms to the Computer Misuse Act 1990. 

The proposed changes to the 1990 Act will provide greater powers to law enforcement agencies to seize and take down domains and IP addresses that are being used to carry out criminal activities. The consultation also proposes the introduction of a general offence for possessing or using illegally obtained data, as current penalties are deemed inadequate.

Importantly for organisations and businesses, the consultation proposes that data system owners will be required to preserve the data they hold, where mandated by law enforcement agencies. This measure is intended to maintain the integrity of any data that could be subject to potential seizure as part of a criminal investigation and would represent a new step in the legal framework of data compliance. Organisations will need to rigorously implement processes to comply with this requirement if the proposal becomes law.

The UK government’s aim to reform the outdated 1990 Act shows that steps are being taken to ensure that law enforcement agencies have sufficient powers to deal with modern cyber risks. 

Organisations have an increasingly important role to play and must maintain their own cyber security defences and processes, as bad actors will always look to exploit weaknesses. 

Strengthening the Network and Information Systems Regulations 2018

The UK government launched a public consultation on proposals for legislation to improve the UK’s cyber resilience in January 2022. The government’s response to that consultation outlined plans to amend the Network and Information Systems Regulations 2018 by providing delegated powers to widen the scope of the regulations to include new industry sectors and sub-sectors. 

The proposals in the consultation would also require that a greater range of incidents be reported under the Regulations. The consultation response concluded that the reforms will be implemented once a “suitable legislative vehicle” is found, and it remains to be seen whether the UK government will make the amendments to the 2018 Regulations.

A new “Cyber Duty to Protect”

A UK government call for information was published in September 2022 which sought views on the introduction of legislation placing more responsibility in the hands of organisations who manage and process personal data. 

The idea behind this is to lessen the burden placed on individuals in relation to cyber security. The working name for these measures is the “Cyber Duty to Protect”. However, the UK government has not yet responded to the call for information and so the proposals are yet to move forward. 

The introduction of a Cyber Duty to Protect would impose greater compliance requirements for organisations dealing with personal data and require them to shoulder more cyber security risk.

Greater corporate responsibility

A further consultation published by the UK government raised the possibility of requiring large organisations to include a “Resilience Statement” in their annual reports. 

The statement would provide details of how the company has approached threat management, including in relation to any cyber security risks. The government responded to the consultation in May 2022 setting out its intention to introduce the reforms but legislation has yet to be introduced.


It is clear that legal reform will only extend the requirement for organisations to adopt rigorous compliance frameworks and undertake robust cyber security risk assessments. 

If you need assistance in this area, please contact our regulatory risk and compliance team.  They can assist by advising on the best steps to take to ensure that your organisation remains compliant with the law and can help to ensure that your organisation remains up to date with the latest legal developments in cyber security.