The 10 Biggest Compliance Moments Of 2023: Our Pick Of A Landmark Year

There’s been plenty to keep UK cybersecurity and compliance professionals busy over the past 12 months. From long-awaited industry regulations to new data-sharing agreements and groundbreaking legislative proposals, 2023 has been a standout year on many fronts. There will be much to build into compliance programmes over the coming 12 months, so here’s our pick of the ten biggest new rules, regulations and laws to consider:

1.NIS 2 And Its UK Equivalent

A second version of the EU’s Network and Information Security (NIS) Directive entered into force in January 2023, and member states have until October 17, 2024, to transpose it into local law. It seeks to broaden the directive’s scope to medium and large-sized firms in additional sectors like telecoms, social media, wastewater and food. There will also be heavier fines, minimum baseline requirements, and a more significant focus on incident response, director accountability and supply chain security. All UK “operators of essential services” (OES) operating in the EU will need to comply. And in the meantime, the UK is preparing its own update to the regime, explained here.

Check out this NIS 2 compliance guide.

2.The Digital Operational Resilience Act (DORA)

Financial sector firms and their ICT technology partners operating in Europe will have until January 17, 2025, to comply with this new EU law. Greenlit, in January 2023, DORA will force complying firms to plug gaps in their operational resilience in the face of mounting cyber threats. It covers risk management, incident reporting, standardised resilience testing, intelligence sharing and third-party risk management. Organisations that have already achieved ISO 27001 certification – or follow its guiding principles of proactive risk management and the continuous improvement of operational resilience – will be well placed to comply.

Check out this 15-point DORA compliance checklist.

3.Data Protection and Digital Information Bill (DPDI)

Hailed as the UK’s attempt to produce its own post-Brexit version of the GDPR, the DPDI Bill is an attempt to make the data protection law more business-friendly without impacting the UK’s adequacy status. Among the headline changes is that only organisations engaged in “high-risk” data processing must keep records, potentially cutting paperwork. There are also clarifications about when organisations can process data without requiring consent. However, there are concerns for UK firms with EU operations. They will either have to keep their GDPR compliance framework as is and not be able to take advantage of the DPDI’s stated benefits or run two parallel frameworks, which will mean more work. Specialist advisors can help by centralising these efforts via a single portal.

4.New SEC Rules

The Securities and Exchange Commission (SEC) introduced new security disclosure requirements in 2023, which will also impact UK firms. Specifically, any UK firm that provides services (especially data-related) to listed US companies can expect more scrutiny from these organisations. US firms will be expected to disclose within four days any cyber incident at a service provider which has “a material impact” on their business. There will, therefore, be a much higher bar for incident response disclosure and planning and response to ongoing due diligence from US partners. An ISMS and ISO 27001 or SOC 2 compliance could help firms provide these assurances to their US partners.

5.EU-US Data Privacy Framework (DPF)

This framework was endorsed by the European Commission in July 2023, essentially ensuring an adequacy decision that means data can flow from the bloc to the US unhindered. To become certified and demonstrate ongoing compliance, US organisations must embed specific data protection processes in their business, including purpose limitation, data minimisation, data retention and sharing.

6.UK-US Data Bridge Agreement

Announced in September, this is an extension to the EU-US DPF designed to eliminate costly contract clauses for UK businesses transferring personal data to US service providers and minimise other barriers to data flow between the two countries. UK firms will now be able to comply with the rules on international data transfers without requiring extra risk assessment of their US partners. The new data bridge will work in an almost identical way to the EU-US DPF and will be available from October 12 2023.

7.Cyber Resilience Act (CRA)

The EU’s CRA is still being finalised at the time of writing. But its high-level aim is to protect consumers and businesses by: imposing a strict set of cybersecurity requirements “governing the planning, design, development and maintenance” of tech products; and providing a new CE kite mark to boost transparency. Manufacturers, importers and distributors of products with a “digital component” considered high-risk will likely have to undergo third-party conformity assessments against the new security requirements. The burden could be more onerous for smaller businesses, although experts claim organisations already complying with GDPR with robust security controls, policies, and procedures should find compliance achievable with limited adjustment.

8.EU AI Act

Currently being finalised, the legislation will look to reduce societal harm stemming from AI. It will take a risk-based approach, classifying AI models according to “unacceptable”, “high”, “limited”, and “minimal” risk. Those deemed high risk will need to meet strict criteria such as risk assessments and mitigation systems, logging of activity, detailed documentation, appropriate human oversight, and high levels of robustness and security in order to conform. The model will then be registered in the EU database and given a CE mark. UK organisations selling into the EU will be faced with running two separate compliance frameworks or conforming to the EU law. Organisations can start the work now by adapting data protection impact assessment processes in readiness for the new regime.

9.NIST Cybersecurity Framework 2.0

The CSF 2.0 is the first significant refresh in this best practice framework since its inception in 2014. It will introduce a new “Govern” pillar covering;

• Organisational context
• Risk management strategy
• Supply chain risk management
• Roles, responsibilities and authorities
• Policies, processes, and procedures; and oversight.

And there will be more implementation examples to help organisations turn CSF theory into practice. Experts believe an information security management system (ISMS) could help by outlining examples of how to use the CSF 2.0 Reference Tool and giving an understanding of what real-world implementations look like.

10.PCI DSS 4.0

Although PCI DSS 4.0 was actually approved in March 2022, it has been a regular topic of discussion this year as the two-year countdown to the implementation deadline on March 31 2025, has begun. While earlier versions of the framework were prescriptive – i.e., deployed firewalls and applied anti-virus controls – PCI DSS 4.0 aims to promote security as a continuous process. Among the changes include a requirement for anti-malware rather than anti-virus and deployment of multi-factor authentication to access the cardholder data environment. There are also requirements to mitigate digital skimming risks and to help minimise supply chain risk by maintaining a software inventory, including libraries and components. As always, those businesses processing large card volumes will be required to undertake an external audit.

Check out our guide for achieving PCI-DSS V4 compliance alongside ISO 27001.