Cyber_Bytes - Issue 78

Welcome to Issue 78 of Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber app: Breach counsel at your fingertips 

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber_ can be downloaded for free from the Apple Store or Google Play Store.

Cyber Security and Resilience Bill Introduced to UK Parliament: Strengthening the Digital Backbone

On 12 November 2025, the UK government introduced the Cyber Security and Resilience Bill to Parliament. The Bill aims to fortify national defences against cyberattacks by updating the Network and Information Systems Regulations 2018 so that they are more consistent with the European NIS2.

Key changes:

• Expanded scope to include medium and large IT service providers, data centres and their third-party suppliers;
• Increased security controls required when managing essential services and smart energy systems;
• Reporting obligations are stricter, in particular, notifiable incidents must be reported to the effected organisation's regulator and the National Cyber Security Centre within 24 hours, followed by a full report within 72 hours;
• Enhanced penalties introduced through higher and turnover-based maximums for serious breaches.

Regulated organisations will face stricter compliance obligations, increased reporting requirements, and greater scrutiny of supply chain security.  

The Cyber Security and Resilience Bill is expected to pass within the next year, but organisations should actively monitor its progress and prepare for compliance through early engagement.

Read more through the House of Commons Library here.

EU Digital Omnibus Package: A New Era for Data and AI Regulation

On 19 November, the European Commission published its Digital Omnibus Package ('the Package'), proposing updates to key legislation, including:

• GDPR
• ePrivacy Directive
• Data Governance Act, and
• AI Act.

The Package signals a shift in the EU’s approach to data and artificial intelligence regulation, by aiming to harmonise compliance standards, reduce administrative burdens, and support innovation in risk management and cyber resilience.

Notable proposed reforms include:

1. a narrowed definition of personal data, which clarifies that information is not personal data for an organisation if that organisation has no realistic way to identify the person to whom it relates;
2. streamlined data subject access request processes, with new powers to refuse or charge for excessive or non-genuine requests;
3. breach notification thresholds to data protection authorities (Article 33 GDPR) being raised to align with Article 34 GDPR, requiring notification only where incidents are likely to result in a 'high risk' to individuals; and
4. establishment of a single-entry notification system to centralise reporting obligations to regulators across multiple EU regulations, including the GDPR, NIS 2, DORA, CER and eIDAS.

For AI, the Package expands legitimate interest grounds as a legal basis under the GDPR where personal data processing is necessary for the controller's interest in the context of the development and operation of AI. It also proposes the introduction of regulatory sandboxes, aimed at enabling businesses to innovate under regulatory oversight.

Click here and here to read the proposals by the European Commission.

British Security Minister Proposes with National Security Exemptions to Ransomware Payment Ban

On 2 September, the UK Government proposed a ransomware payment ban for public sector and critical national infrastructure organisations, as well as obligations for other businesses to notify the Government of any intention to pay a ransom demand.  

However, British Security Minister Dan Jarvis has recently proposed a 'national security exemption' to the ban. The legislative proposal is still pending agreement across the Government, but Dan Jarvis has acknowledged that the ban may have series consequences for UK businesses, stating “that’s why we’re looking very carefully at national security exemptions, because we don’t want people to be facing an invidious choice between a hospital shutting down or going to jail.”

Click here to read more by Infosecurity Magazine.

The Post Office data breach

On 3 December, the ICO issued a reprimand to the Post Office following an “entirely preventable” data breach that disclosed personal information about 502 people involved in the Horizon IT scandal. The incident arose when an unredacted legal settlement document (containing names, home addresses and postmaster status) was mistakenly published on the Post Office’s corporate website for almost two months.

The ICO found the Post Office had failed to implement appropriate technical and organisational measures, highlighting the absence of documented policies and quality assurance for web publication and insufficient staff training, including no specific guidance on information sensitivity or publishing practices.

You can read the news on the ICO website here.

ICO right of access guidance: what it is, key principles and what it means for businesses

The ICO has recently published guidance on how organisations must handle data subject access requests (DSARs) under the UK GDPR and Data Protection Act 2018.

Key principles include: accountability in being able to justify decisions; reasonable and proportionate searches; and careful application of exemptions. The guidance explains when and how exemptions may apply. These include to protect the rights of others, legal professional privilege, management forecasting, negotiations with the requester or where disclosure would prejudice crime/taxation functions. The guidance also explains when a “neither confirm nor deny” response may be used. It sets out specific approaches for third‑party data, children’s requests and special categories of information in health, education and social work. It also covers handling information in emails and archives, deleted data, unstructured manual records held by public authorities, and enforcement risks.

The practical implications for businesses are an increased need to prepare and to standardise DSAR response capability. This includes: the establishment of policies on applying exemptions, third‑party redaction, and format/secure delivery; maintenance of logs and evidence of decisions; and ensuring information management (naming, retention and deletion) supports timely, accurate responses.

Read the detailed ICO guidance here.

The European Commission clarifies ‘important’ and ‘critical’ product categories under the Cyber Resilience Act

The European Commission has published an Implementing Regulation relating to the Cyber Resilience Act (CRA). The regulation provides a non-exhaustive list of products with digital elements whose core functionality matches the technical description of specific important or critical products.

Manufacturers of in-scope products must implement the CRA’s cybersecurity requirements proportionately, undertake a comprehensive cybersecurity risk assessment and evidence how requirements are implemented, tested and assured. Where a product’s core functionality meets an 'important' or 'critical' category, stricter conformity routes apply, including mandatory third‑party assessment or certification in some cases.

Click here to access the implementing regulation.