We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.
We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.
This update includes Information Security, Environment and Health & Safety – click to jump to the relevant section.
Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes
Published UK legislation
No new principal UK legislation and no other relevant legislation relevant to our customers was identified as having come in to force in this quarter.
Proposed UK Legislation
The following new regulation was proposed in the quarter:-
- UK Data (Use & Access) Bill was introduced in the House of Lords in October, it is scheduled to have its second reading in the House of Commons on 12th February 2025. The bill proposes changes to existing personal data protection and privacy, including
- restructuring the Information Commissioners’ Office and giving it enhanced enforcement capabilities reducing bureaucracy while maintaining personal data protections
- encouragement for organisations to use data more effectively e.g. for personalised marketing and fraud prevention, but with stricter rules on sensitive
- data processing
- requirements for organisations to explain how individuals’ data is used
- encouragement for businesses to use AI more freely, but with requirements for increased transparency about use of AI and automated decision making tools by organisations
- more flexible data sharing rules for sectors including finance, healthcare and logistics
Other
Three new information security related EU regulations came in to force in the quarter which may be directly or indirectly relevant to UK organisations depending on their client base and product portfolio.
- Network and Information Systems Directive 2 (NIS2) came in to force in October 2024.
NIS2 replaces the original NIS Directive. NIS2 applies to ‘essential’ and ‘important’ entities registered in the EU (primarily larger organisations operating in energy, transportation, banking manufacturing or food production).
The obligations on in-scope organisations include requirements for risk management, incident management, cybersecurity awareness training and supply chain security. While entities registered in the UK are not in-scope for NIS2, the requirements around supply chain security may lead to UK organisations having additional obligations placed upon them by in-scope clients, parent organisations or subsidiaries within the EU.
The NIS2 requirements align to a number of the requirements of ISO 27001, so UK organisations that have implemented Information Security Management Systems (ISMSs) which meet the requirements of ISO 27001 should be able to leverage their ISMSs to demonstrate how they meet those cascaded obligations.
- Digital Operational Resilience Act (DORA) came in to effect on 17th January 2025
DORA specifically relates to information security of financial institutions operating within the EU. It has similar high-level requirements to NIS2, including supply chain management (third-party risk management), so again, while entities, or subsidiaries etc. of entities operating in the UK are not in-scope, they may also find additional obligations placed upon them by in-scope clients, parent organisations or subsidiaries with the EU.
Again, the regulation broadly aligns with the key requirements of ISO 27001, so UK organisations that have implemented Information Security Management Systems (ISMSs) which meet the requirements of ISO 27001 should be able to leverage their ISMSs to demonstrate how they meet those cascaded obligations.
- Cyber Resilience Act (CRA) came in to force on 10th December 2024.
The main obligations of the act will come in to effect on 11th December 2027, but some aspects, including registration and vulnerability reporting, come in to effect in June and September 2026 respectively.
The CRA applies to digital products, including software sold in the EU that can connect to a network or a device. This includes software as a service (SaaS) sold in the EU. This act will be directly relevant to UK organisations who develop in-scope products which they sell to clients within the EU.
The act aims to improve the cyber security of ‘digital products’ sold in the EU. It applies to manufacturers, importers and distributors of software and hardware sold in the EU.
Requirements include:-
- Security by design
- Vulnerability Management (including identification and remediation of vulnerabilities throughout products lifecycle, and reporting of actively exploited vulnerabilities or major incidents to regulatory authorities in the EU within 24 hours of their identification)
- Provision of timely security updates to users, ideally automatically
- Cybersecurity risk assessment
- Provision of clear information to users about security features and product support
As with NIS2 and DORA, there are several similarities in requirements to ISO 27001 and in particular to the security controls listed in Annexe A. Again organisations which have implemented ISMSs to the ISO 27001 standard, particularly those which have implemented it to the 2022 standard and applied their security controls as recommended in ISO 27002:2022, may find it easier to meet the requirements. ISO 27001 gives some latitude to organisations as to how they chose to apply the controls however. The CRA will states some specific requirements, so organisations should confirm whether any of their products are in-scope and if so, review the requirements of the act to ensure that their application of the Annexe A security controls meets the requirements of the sct, particularly with respect to development activities.
The above sit alongside the EU’s AI Act which we reported on in July’s update.
Microsoft
SANS Internet Storm Centre published the following summaries of the patch Tuesday releases from :-
Other
- In October, Microsoft released a permanent fix for a flaw identified in June affecting Azure MFA. The flaw could allow unauthorised access to users’ accounts by simultaneously submitting multiple rapid authorisation requests. More here
- The controversial Windows Recall screen snapshot and AI analysis feature was reintroduced in November after months of delay, but only to members of the Windows Insider program on Copilot+ hardware. More here
- A zero-day flaw affecting New Technology LAN Manager (NTLM) in all versions of Windows Workstation and Server from W7 to current W11 versions was identified, which could allow credential theft. Microsoft is working on a fix, planned for release in April 2025 and has issued advice on dealing with the vulnerability in the mean time. More here
- Microsoft will officially end support for Windows 10 in October 2025. More here and here
Apple
Details of Key apple updates and security fixes can be found on Apple’s security updates page
Other
- Apple agreed to pay $95m to settle a class-action lawsuit brought by customers who accused it of eavesdropping via Siri. Apple denied selling the data and settled to avoid future claims. More here
- Apple released its ‘Apple Intelligence’ AI features for iPhone, iPad, and Mac in October through a free software update with the release of iOS 18.1, iPadOS 18.1, and macOS Sequoia 15.1. The functionality is intended to help users refine writing and summarised notifications, mail and messages, and improved photo editing. More here
- In January, Apple withdrew its Apple Intelligence news summary features however, after complaints from organisations including the BBC that the device had hallucinated results. More here
- Apple announced that it will make its first post-quantum cryptographic protection (PQ3) available through inclusion in iMessage on iOS and iPad OS 17.4 and macOS 14.4. More here
Linux, Android, Google
- Google & Android
- In November, Google announced that it will make MFA mandatory for all Google Cloud users worldwide during 2025. More here
- The Information Commissioner’s Office (ICO) branded Google Irresponsible for allowing advertisers to track users’ digital fingerprints, which are harder to identify and block than traditional cookies. In December, Google announced that it would make the functionality available to advertisers. More here
- Google released its Gemini 2.0 AI model in December. It claims that 2.0 is twice as fast as its previous version 1.5 and supports image, video and audio inputs and outputs. More here
- Linux
- Researchers believe that the first malware capable of infecting the boot process of Linux systems has been developed. The proof-of-concept bootkit malware code ‘bootkitty‘, developed by Korean students includes an exploit for previously identified UEFI vulnerabilities. More here
- Vulnerabilities have been found in the ‘needrestart’ Linux utility used to restart services after upgrades. The vulnerabilities can allow local users to escalate their privileges. More here
- A flaw in Kubernetes Image Builder could allow unauthorised access to Virtual Machines via SSH. The flaw has been given a CVSS score of 9.8 out of 10. More here
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
The NCSC also publishes current cyber security reports and advisories here, and malware reports and analysis here
Information from the Information Commissioner’s Office and partner agencies
- The ICO has published its pipleline for development and release of new and updated guidance here
- In October, the ICO launced its ‘ripple effect’ campaign to highlight the wider damaging effects of data breaches more information here
Noteworthy cyber incident and breach news reported in the quarter
This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment
- Sellafield fined for cybersecurity failings (October2024): The UK’s Sellafield nuclear facility was fined after it was revealed that 75% of its systems were vulnerable to cyberattacks, risking exposure of sensitive nuclear data.
Source: More here - PowerSchool (December 2024): A hack of the US Educational technology provider may have affected 62millon students across the US and Canada. The hacker stole credentials and demanded a ransom after which they provided a video of them deleting the data, but PowerSchool admit there is no guarantee that deletion was fully effective. More here
- The British Museum (January 2025): – The prestigious British Museum was forced to temporarily close some galleries and exhibitions in January after a disgruntled former IT contractor gained access to its systems on-site and shut down a number of systems. More here
- Telefonica (January 2025): – the multinational telecoms provider whose brands include O2, was hacked. More than 225,000 lines of customer data and almost half a million Jira tickets were stolen, reportedly by the Hellcat ransomware group. More here
Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter
- Concerns have been raised regarding the mobile apps released by Chinese AI firm DeepSeek. The new AI provider publicly released its low-cost R1 model to huge media attention in January, however concerns have since been raised that the mobile apps it provides throgh the main app stores. Concerns included information collected about devices that is transmitted in unencrypted form, and use of hard-coded encryption keys. More here and wider concerns about DeepSeek here
- In September, researchers reported that attackers were confirmed to have used Generative AI to help write code used to distribute the commercially-available AsyncRAT malware. More here
The NCSC publishes current cyber security reports and advisories here, and malware reports and analysis here
Environment
Legislative changes
The Deposit Scheme for Drinks Containers (England and Northern Ireland) Regulations 2025 came in to force on 23rd January 2025. From 1st October 2027, producers of PET (plastic), steel and aluminium drinks containers with capacities from 150ml to 3 litres will be required to charge a refundable deposit on the containers and ensure they are appropriately labelled with information about the scheme. With the exception of small retailers; physical retailers of drinks in those containers will be required to collect the deposit at point of sale, operate return points for the empty containers and provide refunds on deposits for returned containers. Other exemptions may apply if existing return points are already located nearby. Online retailers will need to offer a take back service for in-scope containers to ensure customers can conveniently return containers for refunds. Retailers and producers will need to register under the scheme.
Health & Safety
Legislative changes
- No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.
HSE Bulletins and News
- The Health and Safety Executive turned 50 at the start of the year. Created by the Health and Safety at Work etc. Act 1974, the HSE was officially launched on 1st January 1975, bringing responsibilities for workplace health and safety under one regulatory authority from its previously fragmented and industry-specific agencies. More here
- The act was officially launced New body mapping tool released to help workers report musculoskeletal issues caused or exacerbated by work. More here
- Updated guidance on how to comply with the Personal Protective Equipment at Work Regulations 1992 Here
- Working Minds stress prevention campaign calendar published here
Health & Safety Executive has all the latest Covid information and advice here
If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch
Here are some more helpful links which may be of use
