A Year in Compliance: Five Lessons Learned from 2023
Table Of Contents:
Security and compliance leaders ended 2023 as they began it, overwhelmed with the volume and complexity of new rules and regulations. Some will apply only to specific types of organisations. Others may be difficult to avoid. But it all adds up to a macro picture of more work, especially for UK firms with operations and/or partners in Europe and the US.
So, which five takeaways might be helpful to bear in mind for what’s likely to be another busy year ahead? Here are our top lessons learned from 2023:
1. UK Firms May Not See A ‘Brexit Dividend’
In several cases this year, new UK laws emerged that promise to undo some of the ‘red tape’, which Brexit proponents claim was a key reason for leaving the bloc. One is the Data Protection and Digital Information Bill (DPDI), which the government claims will help save UK firms billions. This UK version of the GDPR includes various clarifications and carve-outs which could make the law more business-friendly, such as ensuring that only organisations engaged in “high-risk” data processing need to keep records. However, UK firms with EU operations will either have to stick with their existing GDPR compliance framework – which the government will allow – and therefore fail to take advantage of these benefits or shoulder the burden of running two compliance regimes side by side.
The second Network & Information Systems Regulations (NIS 2) will put some firms in a similar quandary, given the UK is diverging from the regime next year. The fact that member states must implement the former by 17 October 2024, while the UK’s legislative plans remain unclear, could lead to increased costs for compliance teams.
These cases remind us of the need to partner with compliance specialists capable of centralising and streamlining disparate activities for under-pressure teams.
2. ISO 27001 Compliance Is A Great Foundation For Businesses
We’ve seen new regulation and legislation proposals at a dizzying rate throughout the year. But the good news is that with a robust best practice security framework, organisations will already have done much of the heavy lifting for many of these new rules. It’s certainly true of the EU’s Digital Operational Resilience Act (DORA), NIS 2 Directive and Cyber Resilience Act (CRA), which apply to financial services firms, operators of essential services, and manufacturers of products with digital components, respectively. It will also help with the UK’s DPDI, which is slated to replace the GDPR. And as ISMS.online reported throughout the year, best practice frameworks can help mitigate the risk of deepfakes, supply chain threats and more.
A recent Gartner report claimed that ISO 27001 and NIST (National Institute of Standards and Technology) offer the governance rigour, processes and structure required to drive information security and risk management success regardless of size, industry vertical or security/risk management competence. Yet it also found that 41% of clients had yet to select a framework or had developed their own ad hoc approach – which could lead to control gaps, wasted resources and over-burdened security teams.
3. What Happens Abroad Matters At Home
Security and compliance teams can’t live in a vacuum, especially if their organisation has operations abroad or partnerships with foreign entities. From the US, new SEC rules on breach/incident disclosure will affect service providers wherever they are based. It will demand UK firms in this situation to potentially raise their game on incident response and other elements of security posture. Then there’s DORA, NIS 2, the CRA and the EU AI Act, all of which will impact organisations selling into the bloc.
Some rules are yet to be finalised, but firms hoping to gain an advantage in these markets will want to be well briefed, adequately prepared, and partner with specialists who can help make compliance an enabler rather than a roadblock.
4. There’s Still Plenty Up In The Air
Compliance teams crave certainty. But the creation and passing of new laws and regulations can be a messy, drawn-out process. So, at the end of 2023, we still have no confirmed date when the DPDI or UKI NIS updates may become law. And parts of some proposed EU laws have proved highly controversial, potentially delaying their passage. The EU AI Act recently ran into trouble when campaigners highlighted a dangerous new loophole that was introduced after the legislation’s passing in parliament. It would effectively allow developers to decide for themselves whether their AI model is “high risk” or not. Meanwhile, the CRA has also seen significant pushback over its treatment of open-source developers and its potentially negative impact on vulnerability disclosure.
In the UK, proposed updates to the Investigatory Powers Act (IPA) have also been heavily criticised for undermining the digital economy and potentially forcing tech providers out of the country. All of which means there’s plenty still to be decided. But smart compliance teams will look at what’s not likely to change in upcoming legislation and work out what they can accomplish ahead of time.
5. There’s Plenty More To Come Next Year
It might have been a busy 2023, but there’s no slowdown in sight for security and compliance professionals next year. That’s because the countdown continues to the implementation of several significant new regulations, while the details on others are due to be finalised by the relevant authorities. Thus, we’ll see organisations continue to get their house in order for PCI DSS 4.0 when it officially lands in March 2025, as well as NIS 2 (17 October 2024). The CRA, DORA, DPDI and EU AI Act should all be finalised next year, as well as the UK’s NIS updates. Also, in the UK, April 2024 will be the compliance deadline for the Product Security and Telecoms Infrastructure (PSTI) Act, which will impact manufacturers of smart (IoT) products.
As the new year begins in earnest, organisations should look where possible to eliminate inefficiencies and silos, integrate compliance more fully into operations, and arm themselves with the right set of automated tooling to reduce the burden on teams.
Unlock Your Compliance Advantage in 2024
If you’re looking to start your journey to better compliance, we can help.
Our ISMS solution enables a simple, secure and sustainable approach to compliance and information management with ISO 27001, SOC 2, NIST and over 100 other frameworks. Realise your competitive advantage today.