Cyber-attacks – What does the law require?

Alert
|
8 min read
Joe Devine |
John Timmons

As major cyber-attacks continue to cause widespread organisational and economic disruption, and botnets are being discovered which have the capability of comprising entire organisations, many businesses are re-evaluating technical, legal and financial risk-exposure.

Organisations assessing legal compliance requirements and risk exposure must first have a clear understanding of the laws that apply to their operations. In general, organisations are subject to laws requiring the implementation of cybersecurity risk management measures in the jurisdictions in which they are established, but in some cases, organisations will also be subject to laws requiring the implementation of cybersecurity risk management measures in jurisdictions where the organisation has no physical presence (e.g., jurisdictions in which an organisation has customers, but no establishment).

As a starting point, all EU & UK businesses are required to implement appropriate technical and organisational measures to protect the personal data that they process (e.g., information relating to customers and employees), including against cyber-attacks. Businesses operating in certain market sectors – for example, finance, digital infrastructure and healthcare – must also implement measures to protect their network and information systems against cybersecurity incidents. In addition, cyber-attacks and other cyber-incidents must be reported to competent regulators and affected individuals in certain situations.

Organisations that fail to implement the necessary security measures and/or report cyber-attacks are exposed to the risk of regulatory scrutiny and significant financial penalties, as well as knock-on financial losses (e.g., remediation costs, lost revenue, etc.), negative press coverage, and an impacted reputation.

What are the requirements in the EU & UK?

EU & UK businesses may be subject to overlapping cybersecurity and incident reporting obligations under EU / UK data protection laws & EU / UK cybersecurity legislation, including the:

  • EU General Data Protection Regulation (the "EU GDPR");
  • UK General Data Protection Regulation (the "UK GDPR");
  • NIS Directive ("NISD"), as implemented in the national laws of each EU Member State;
  • UK Network and Information Systems Regulations 2018 ("UK NIS"); and
  • NIS 2 Directive ("NIS 2"), as implemented in the national laws of each EU Member State.

EU GDPR & UK GDPR

The EU & UK GDPR apply to the processing of personal data (e.g., relating to customers and employees).

  • Security: The EU & UK GDPR require businesses to implement appropriate technical and organisational measures to protect personal data, including against cyber-attacks.
  • Incident reporting: Qualifying personal data breaches1 must be reported to the competent regulator(s) under the EU GDPR / UK GDPR (e.g., the Information Commissioner's Office ("ICO") in the UK, the Irish Data Protection Commission in Ireland, etc.) within 72 hours of becoming aware of the incident. Incident notifications must include certain information, including: (i) the nature of the personal data breach; (ii) where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (iii) the likely consequences of the personal data breach; (iv) the measures taken or proposed to be taken to address the personal data breach; etc.

In the case of serious personal data breaches, businesses must also notify affected data subjects directly.

  • Financial penalties: The maximum penalty that could apply for non-compliance with the EU GDPR / UK GDPR is the greater of: (i) €20 million / £17.5 million; or (ii) 4% of worldwide turnover.

UK NIS

UK NIS applies to entities operating in certain sectors, including the energy, transport, health, water, digital infrastructure sectors ("Operators of Essential Services"), and to providers of online marketplaces, online search engines, and/or cloud computing services ("Relevant Digital Service Providers").

  • Security: In-scope entities must implement appropriate and proportionate technical and organisational measures to: (i) manage risks to their network and information systems; and (ii) prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services.

The measures implemented by Relevant Digital Service Providers must take into account a number of specific elements, including incident handling and business continuity. The measures implemented by Operators of Essential Services must take into account guidance published by a relevant regulator.

  • Incident reporting: In-scope entities must notify the relevant UK sector regulator (e.g., the ICO for incidents affecting cloud computing services, online marketplaces or online search engines), about any incidents2 (e.g., cyber-attacks) that have a significant impact3 on the continuity or provision of their services. The notification must be made within 72 hours of the entity becoming aware of the incident, and should include details such as the time, duration, nature, impact, any likely cross-border effects of the incident, as well as any other helpful information for the regulator.
  • Financial penalties: The maximum penalty that could apply for non-compliance with UK NIS is £17 million.

NISD contains similar obligations to UK NIS.

NIS 2

NIS 2 replaces NISD in the EU, and applies to entities operating in certain sectors, including:

  • the energy, transport, banking, health, drinking water, wastewater, postal and courier services, waste management, manufacturing and food sectors;
  • "digital infrastructure services" (including internet exchange point providers, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks, and providers of publicly available electronic communications services); and
  • "digital providers" (including online marketplaces, online search engines and social networking services platforms) and ICT service management.

At the time of publication, NIS 2 has not yet been implemented in the national laws of all EU Member States.

  • Security: In-scope entities must implement appropriate and proportionate technical, operational and organisational measures to: (i) manage risks to their network and information systems; and (ii) prevent or minimise the impact of incidents on the recipients of their services and on other services.

NIS 2 provides a list of minimum measures that must be implemented by in-scope entities to protect network and information systems (and the physical environment of those systems) from incidents, including: (i) policies and procedures addressing incident handling, business continuity and crisis management; (ii) measures focused on ensuring supply chain security; and (iii) human resources security measures.

The "NIS 2 Implementing Regulation" (a separate piece of legislation that sits alongside, and supplements, NIS 2) sets out specific technical and methodical risk management requirements applicable to certain categories of NIS 2 in-scope entities (e.g., providers of cloud computing services, data centre service providers, social networking services platforms, etc.), but not others.

  • Incident reporting: Entities in-scope of NIS 2 must notify the relevant regulator(s) about any incidents4 (e.g., cyber-attacks) that have a significant impact5 on the provision of their services. In-scope entities must submit: (i) an early warning notification without undue delay and within 24 hours of becoming aware of a significant incident; (ii) a further (full) incident notification within 72 hours of becoming aware of a significant incident; and (iii) a final report within one month of the (full) incident notification referred to in (ii).

In-scope entities must also promptly inform service recipients of any measures or remedies they can take in response to significant cyber threats, and where appropriate, they must inform recipients of the threat itself.

Additionally, the relevant national authority may inform the public about an incident (or require the entity to do so) if public awareness is 'necessary' to prevent or address the incident, or if disclosure is in the public interest.

  • Financial penalties: NIS 2 imposes steep penalties for non-compliance, at least the higher of: (i) €7 million or €10 million (depending on sector); or (ii) 1.4% or 2% (depending on sector) of total worldwide turnover in the preceding financial year. Member States may set a greater maximum amount under their national law.

What should businesses do?

Businesses should be continually reviewing their cybersecurity posture, and reassessing their incident response and business continuity processes, to ensure that these comply with the applicable requirements, and are sufficiently robust. The legal requirements are not drafted in fixed terms. This allows for a degree of flexibility in the approaches adopted by organisations and provides adaptability to accommodate for future changes to the threat landscape.

Where gaps in an organisational security framework are identified, these should be addressed without delay. Failure to do so increases the risk of falling victim to cyber-attacks, and facing the associated negative press, regulatory scrutiny and financial penalties that will inevitably follow.

Please contact John Timmons or Joe Devine if you have any questions, or if you require assistance with the issues discussed in this article.

Natasha Parsons (Trainee Solicitor, United Kingdom, White & Case) co-authored this publication.

1 'Personal data breach' means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
2 An 'incident' is "any event having an actual adverse effect on the security of network and information systems". 
3 Significance is determined with regard to a number of factors, including the number of users affected, the duration of the incident, and the geographical area affected by the incident.
4 An incident is "an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems".
5 An incident is considered significant if: (i) it has caused or is capable of causing severe operational disruption of the services or financial loss for the relevant entity; or (ii) it has affected or is capable of affecting other natural or legal persons by causing material or non-material damage. The NIS 2 Implementing Regulation sets out the applicable thresholds for when an incident is significant, and therefore notifiable.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

Joe Devine
Joe Devine
Associate|London
Services
Data, Privacy & Cybersecurity, Technology, Technology Transactions
John Timmons
John Timmons
Partner|London
Services
Artificial Intelligence (AI), Technology, Data, Privacy & Cybersecurity, Cybersecurity Advisory and Compliance, Privacy and Cybersecurity Litigation, Incident Response

Service areas

Top