Overview
This regulatory update summarizes major cyber security developments affecting the UK and international landscape as of February 2025, including proposed legislation, regulatory consultations, new codes of practice, and international treaties.
UK AI Cyber Security Code of Practice
- DSIT released a voluntary AI cyber security code of practice with 13 principles on 31 January 2025.
- The code targets AI developers and operators, promoting best practices for managing cyber threats.
- It aims to form a global standard through the European Telecommunication Standards Institute.
- Updated guidance and implementation resources are available, with a revision planned for early 2025.
Government Consultation on Ransomware Reporting and Payments
- The government proposes a ban on ransomware payments for public sector and critical infrastructure bodies.
- Victims would be required to report intent to pay ransomware before making payments and mandatory incident reporting timelines are introduced.
- The consultation on these proposals closes on 8 April 2025.
FCA Consultation on Operational Incident and Third-Party Reporting
- The FCA seeks feedback (CP24/28) on new reporting rules for operational incidents and third-party arrangements.
- Proposals include standardized thresholds for reporting and alignment with international frameworks like DORA.
- The consultation closes on 13 March 2025.
New Guidance to Secure Edge Devices
- NCSC and international partners published minimum forensic logging and monitoring requirements for internet-connected edge devices.
- Recommendations target device selection and incident response readiness for improved threat detection.
CBEST Thematic Analysis on Financial Sector Cyber Resilience
- The latest CBEST analysis identifies gaps in UK financial firms’ cyber defences, including weak identity and access controls.
- Firms are advised to strengthen cyber resilience, with further regulatory consultations planned for late 2025.
UN Convention Against Cybercrime
- The UN General Assembly adopted the first global, legally binding treaty on cybercrime in December 2024.
- The convention aims to improve international cooperation in preventing and investigating cybercrime; it takes effect after ratification by 40 countries.
European Commission Action Plan for Securing Healthcare Sector
- The EU unveiled an action plan to boost cyber resilience in healthcare, featuring new guidance, early warning services, and rapid response measures.
- Sector-specific consultation and rollout of additional actions are scheduled for 2025 and 2026.
Key Dates / Deadlines
- FCA consultation on operational and third-party reporting closes: 13 March 2025.
- UK government ransomware consultation closes: 8 April 2025.
Action Items
- 13 March 2025 – All affected firms: Submit feedback to the FCA on operational and third-party reporting proposals.
- 8 April 2025 – Stakeholders: Respond to the government ransomware consultation.
- Early 2025 – DSIT: Publish updated AI cyber security code of practice.