Governments are moving to keep businesses safer in a changing world

In today’s digital age, cyber-attacks are a looming threat for every organisation. It’s no longer a question of “if” but “when” a cyber-attack will strike. The damage caused, both financial and reputational, can be huge, sometimes catastrophic. What, then, is being done to ensure a suitably robust legislative framework in this area? With Cyber Scotland Week 2025 starting today, now is a good time to reflect on legal developments in the cyber arena.

2024 saw notable legislative developments at a European level aimed at enhancing cyber resilience across key sectors. The Network and Information Systems Directive (NIS2), the EU Cyber Resilience Act and the Digital Operational Resilience Act (DORA) are recent examples of ambitious steps taken by the EU. The result is legislation setting new standards for enhancing IT and network security, with compulsory cyber risk management measures, stricter incident reporting deadlines for significant cyber incidents and tougher enforcement and increased penalties across critical sectors operating in the EU. UK organisations operating in the EU will need to comply with these requirements, representing a significant challenge for some.

These are bold steps by the EU. What then of the UK? With cyber threat actors frequently targeting critical UK services and institutions, there was some concern that organisations would be left in a more vulnerable position here. The announcement by the UK Government that there would be a Cyber Security and Resilience Bill was, therefore, welcomed by many. The Bill will adopt similar provisions to NIS2, enhancing the cybersecurity legislative framework in the UK.

Angus Gillies says AI is an area where new protections are constantly needed

In the UK, the Government is also undertaking reform of data protection law. In October 2024, the Data (Use and Access) Bill was introduced to the UK Parliament. This legislation will refine and amend certain aspects of current UK data protection law.

UK businesses also need greater certainty around the legal status of digital assets. On that, the UK Parliament is presently considering the Property (Digital Assets etc) Bill which, if passed, will enable certain digital assets to be considered as personal property for the first time but only in England, Wales and Northern Ireland.

Scotland, whose property law is distinct from England and Wales and is a devolved matter, is also making progress on digital assets which do not fit easily into traditional Scots law concepts of property. The Scottish Government is now considering responses to a consultation on these issues following an Expert Reference Group examining the issues and making recommendations. The need for Scottish commerce to have certainty and clarity in this area should not be underestimated so legislation at the Scottish Parliament may reasonably be expected.

On artificial intelligence, another 2024 development within the EU was the passing of an Artificial Intelligence Act, laying down wide-ranging rules around this. In contrast, the UK Government appears to be taking a “wait and see” stance, monitoring developments before deciding whether and, if so, how to legislate in this area. As part of this stance, the UK’s current approach includes a framework with various cross-cutting principles including safety, security and robustness, transparency, accountability and fairness, with reference to which regulators of specific sectors may issue guidance.

It seems sadly certain that cyber threat actors will continue to develop ever more sophisticated techniques, including the use of AI driven deepfake technology. The need for robust cyber security systems, thorough incident response planning and testing and the need to review insurance cover for cyber incidents have never been greater.

Angus Gillies is a Senior Associate, Clyde & Co

We must all safeguard against cyber attacks