Cybersecurity compliance for businesses
The importance of business cybersecurity compliance is poorly understood. Most owners underestimate the financial and reputational risks and completely ignore the consequences of non-compliance.
That’s right; your business is legally required to have a certain level of cybersecurity and data protection for itself and its customers. And rightly so—the current trend of businesses having their data stolen only increases everyone’s vulnerabilities. If you think your data is currently safe, it’s likely not!
In this article, we explain what your business needs to do to meet the compliance requirements set out by the relevant authorities for your specific sector and activities. Let’s dive in!
💡 Key takeaways:
- Data handling and privacy: All businesses in the UK or worldwide that handle UK citizens’ data must comply with DPA 2018.
- Critical and essential services: Any organisation that is responsible for these key services needs to comply with NIS 2018.
- Others: Businesses in the finance sector must comply with FCA cyber regulations, and those who offer card payments need to comply with PCI.
What is cybersecurity (a refresher)?
Just like your physical premises may have locks, alarms, gates, registration logs and perhaps even cameras and security guards, the digital side of your business also needs protection to dissuade attackers from targeting your data, customers, servers, etc.
IT departments normally handle this task, implementing business cybersecurity essentials like staff training, strong passwords, software updates, firewalls, and incident response plans.
There are numerous “attack vectors” that cybercriminals can exploit. The list of cybersecurity and data loss threats includes phishing, malware, DDoS, credential stuffing and zero-day exploits.
Most businesses fail to understand that the implications can be dire. Not only can this include financial loss, reputational damage, and operational disruption, but it can also lead to legal consequences and higher costs for cybersecurity insurance.
Just like a thief can always find a new way to sneak into your premises, no business is immune from a cyberattack. So your best bet is to simply keep up with the times and be as prepared and insured as possible!
💡 Cyber Essentials: Businesses that follow essential practices can prevent 80% of common cyber attacks.
An overview of business cybersecurity regulation
Three principal UK cybersecurity regulations apply to UK businesses, each varying in scope and overreach:
Regulation | Scope | Applies to |
---|---|---|
Data Protection Act 2018 (DPA 2018) | Everything to do with data handling, processing and sharing. | All UK businesses |
Network and Information Systems Regulations 2018 (NIS 2018) | Network and information system security for critical and essential services | Essential and critical service providers ONLY (e.g. health, energy, water, transport) |
Financial Conduct Authority (FCA) Regulations | Cybersecurity requirements for financial services firms in the UK | Financial services firms (e.g. banks, payment services, insurance) |
Other | Cybersecurity and data protection in the legal and credit card payments sector. | Legal sector and any organisation handling card payments. |
The key thing to understand is that these regulations complement each other. For example, if my business provides water utility services, it must comply with the Data Protection Act 2018, which applies to all organisations, as well as the NIS 2018 regulations, because the water industry is considered an essential service.
This may sound like a lot, but in truth, there is a lot of overlap between these regulations. Following the Cyber Essentials Scheme supported by the UK government will generally help any business cover the majority of regulations, especially small and medium-sized businesses. A more stringent audit may be required for any larger business or those doing critical or essential services.
Data Protection Act 2018 (DPA 2018)
The DPA 2018 is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR). It sets out the framework for data protection and privacy in the UK, including principles, rights, and obligations for businesses. It was amended post-Brexit in 2021.
Compliance with the DPA 2018 is essential for businesses and organisations to ensure the lawful and secure handling of personal data, including obtaining explicit consent, ensuring data security, and reporting data breaches within 72 hours.
Businesses have several tools to design and upkeep their data handling to comply with the regulation’s requirements, which are extensive and include:
- Receive explicit consent
- Having a legal basis for handling data
- Manage the data in a way that is safe, clear, transparent and amendable to respect the rights of users
💡 Worldwide overreach: The DPA 2018 applies to businesses and organisations that either (1) are based in the UK and process the personal data of anyone, anywhere in the world, or (2) process the personal data of UK residents, regardless of where they are based.
DPA 2018 compliance tips
Here are practical tips to ensure compliance with DPA 2018:
- Privacy policy: Creating one is essential. It communicates how your business handles all personal data, why it’s collecting it, and how it’s being protected. It should be accessible, clear, unambiguous, and written in simple language. Usually, businesses update their policies every 12 months.
- Cookie banners: Any business website collecting data must obtain explicit consent from any user, and cookie banners are the main way of obtaining permission. Consent must be reusable at any time without consequence, separate from other terms and conditions, and unambiguous.
- Lawful basis requirements: You must have at least one of the following five lawful reasons for processing personal data:
- If there is a contractual transaction.
- If there is a legal obligation.
- If there is a legitimate interest where the benefits outweigh the privacy risks.
- If your business is undertaking a public interest task or exercising official public authority.
- If someone’s life or health is in danger of not doing so.
- Get an expert on data: Your business must know what data it is acquiring and how to handle it. Sensitive data like race, genetics, and biometrics, as well as those of minors, are particularly sensitive. Are there any third parties holding this data? Your data must be robustly secured, encrypted and erasable upon request.
- Data Protection Officer (DPO): Organisations like public authorities, those with large-scale processing, or those with systematic monitoring, like census, must appoint a Data Protection Officer (DPO) to oversee compliance.
- Third-party products and guidance:
- Information Commissioner’s Office Data protection self-assessment checklists
- Cookie Script – Practical tools (scripts and apps) to ensure compliance.
💡 General compliance: Compliance with DPA 2018 also involves keeping data safe. Completing a Cyber Essentials certification covers some of this.
DPA 2018 non-compliance penalties and fines
Significant fines and other regulatory actions are designed to be “effective, proportionate, and dissuasive”. Fines for violations of the basic principles can be up to £17.5 million or 4% of the organisation’s total annual worldwide turnover in the preceding financial year, whichever is higher.
For less serious infringements, the maximum fines can be up to £8.7 million or 2% of the organization’s total annual worldwide turnover in the preceding financial year, whichever is higher.
Other penalties imposed by the Information Commissioner’s Office (ICO) include warnings, reprimands, orders to comply with data subjects’ requests or bring processing operations into compliance within a specified timeframe.
Network and Information Systems Regulations 2018 (NIS 2018)
This is the pre-Brexit implementation of the EU Network and Information Systems Directive. They are designed to improve the security of network and information systems critical for providing essential services such as energy, transport, healthcare, and digital infrastructure.
It applies to businesses identified as:
- Operators of Essential Services (OES): Energy, transport, health, water, and digital infrastructure.
- Digital Service Providers (DSPs): Online marketplaces (Amazon, eBay), online search engines (Google, Bing), and cloud computing services (AWS, Azure).
The NIS Regulations require the following:
Security Requirements
NIS regulations require technical and organisational measures to manage the risks posed to the security of their network and information systems, including measures to prevent and minimise the impact of incidents.
The National Cyber Security Centre (NCSC) provides guidance and support, including security measures and incident reporting advice.
Incident Reporting
Organisations must report significant cybersecurity incidents to the relevant competent authority or the Computer Security Incident Response Team (CSIRT) within a specified timeframe. This allows authorities to assess the incident’s impact and coordinate responses.
Competent Authorities
Each sector covered by the NIS Regulations has a designated competent authority responsible for supervising and enforcing compliance. These authorities can assess compliance, issue enforcement notices, and impose penalties for non-compliance.
Here’s a list of some of the key sectors and their corresponding authorities:
Energy
- Electricity & Gas: The Office of Gas and Electricity Markets (Ofgem)
- Oil: The Department for Business, Energy and Industrial Strategy (BEIS)
Transport
- Aviation: The Civil Aviation Authority (CAA)
- Maritime: The Maritime and Coastguard Agency (MCA)
- Rail: The Office of Rail and Road (ORR)
Health
- The Department of Health and Social Care (DHSC) and the National Health Service (NHS) Digital
Water
- England and Wales: The Drinking Water Inspectorate (DWI)
- Scotland: Drinking Water Quality Regulator (DWQR)
- NI: Drinking Water Inspectorate
Digital
- Infrastructure: The Department for Digital, Culture, Media and Sport (DCMS)
- Service Providers: The Information Commissioner’s Office (ICO)
NIS 2018 compliance tips
If you are a business whose digital activities are covered within the scope of NIS 2018 regulations, then compliance requires technical expertise beyond government-backed solutions like Cyber Essentials.
Use the NSCS framework and checklist to understand what you may need to do, and use this NIS 2018 government guidance for competent authorities to see what regulators may be looking for.
If your business operates in multiple locations besides the UK, this NIS compliance guidance by KPMG may be useful for these international implementations since NIS is inherited from the same EU regulations that apply within the block.
One of the most detailed technical compliance guides we have found is Tripwire’s NIS compliance guidance, which may come in useful for your business.
NIS 2018 non-compliance penalties and fines
The NIS penalties are separate from those under the DPA 2018. The maximum fine under the NIS Regulations can be up to £17 million, yet the actual amount will depend on the severity of the incident and the prevention and response measures taken by the victim.
NIS fines are intended as a last resort, with the regulations emphasising cooperation and supporting security improvements.
Financial Conduct Authority Regulations (FCA)
The FCA sets out specific cybersecurity requirements for financial services firms in the UK to ensure the financial system’s integrity and protect consumers.
These include additional requirements for risk management, incident reporting, and customer data protection. Audits, resilience testing, customer authentication and reporting are much more stringent than regular businesses.
These requirements exceed those set out by the core DPA and NIS 2018 regulations and apply to banks, insurance companies, investment firms, payment services, crowdfunding platforms, P2P lending, consumer credit firms, etc.
Other regulations
Besides the DPA 2018 that applies to all businesses, the NIS 2018 regulations that apply to critical sectors, and the FCA regulations that apply to financial institutions, a few other competent authorities can impose cybersecurity regulations on their respective sectors:
Legal sector
Law firms and other legal service providers must comply with the Solicitors Regulation Authority (SRA) and the Bar Standards Board (BSB) regulations, which include requirements for protecting client data and maintaining the confidentiality and integrity of information.
While they can’t directly impose fines, they can take disciplinary action against legal professionals who fail to comply with their regulatory obligations, including data protection. Disciplinary actions can include fines, suspension, or disbarment.
Credit card transactions
Any business that handles credit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS).
While the regulator (PCI SSC) does not directly impose fines, it works with various payment card brands such as Visa and MasterCard to enforce compliance with PCI DSS. This includes fines of as much as several hundred thousand dollars per month, increased transaction fees, remediation costs and loss of card acceptance privileges.
How can my business ensure compliance with cybersecurity regulations?
Ensuring compliance will help your business with cybersecurity and data protection while avoiding legal problems and fines.
Recall that the implications of being victim of a cyber attack are many and include financial loss, reputational damage, operational disruption and increased insurance premiums.
Following business cybersecurity essentials will get your business 95% of the way. This includes:
- Cybersecurity training and audits
- Using strong passwords and Multi-Factor Authentication (MFA)
- Ensuring software updates, backups, antiviruses, firewalls and WiFi are set up
- Controlling local and remote access to your networks
- Having appropriate Incident Response Plans (IRPs)
The UK’s National Cyber Security Centre (NCSC) offers a government-backed Cyber Essentials certification system to help businesses implement these and qualify for cyber liability insurance.
Compliance with specific regulations
In addition to the above-mentioned essentials, it is important to comply with more specific regulations for your business, including data protection and privacy and sector-specific cybersecurity. See our regulations overview to navigate to the specifics.
Compliance for cybersecurity insurance
Compliance with these regulations will help your business with cybersecurity insurance. While there are no official government institutions or partners that certify direct compliance with DPA 2018, NIS 2018 and FCA cybersecurity regulations, you will indirectly prove compliance with the following:
ISO/IEC 27001
This international standard certification for cybersecurity and data management is widely recognised worldwide, as are other ISO standards for quality control, such as those for construction, engineering, accounting, etc.
UK organisations widely adopt this cybersecurity ISO standard, which provides a framework for managing information security risks and can be used to demonstrate compliance with security best practices.
Cyber Essentials and Cyber Essentials Plus
The Cyber Essentials Scheme supported by the UK government is somewhat based on the ISO principles and is easier to implement. Find the details in our Cyber Essential Scheme article.
GDPR Certification
- BSI (British Standards Institution): BSI offers a range of GDPR-related services, including training, gap analysis, and certification to demonstrate compliance with data protection laws. Find them here.
- PwC: PwC provides GDPR certification services that assess an organisation’s data protection framework against GDPR requirements. Find them here.
- EuroPrivacy: EuroPrivacy provides a certification scheme that assesses and certifies compliance with the GDPR and other data protection regulations. You can find it here.
Going beyond regulations
Don’t ignore business cybersecurity, and go beyond regulations if you can. The digital world is changing rapidly, much faster than governments and institutions can react.
Just like AI is helping many of us do our jobs, it’s also helping cybercriminals find new ways of attacking businesses and organisations.
Increase your use of VPNs, get an extra secure business broadband router, and choose from the best business broadband providers to ensure you have the safest hardware.
Compare business broadband deals with us for the best prices to free up capital for your cybersecurity endeavours.