Legal Guidance and Research / Experts / Elizabeth Mulley
Elizabeth Mulley#9566
LinkedIn External

Elizabeth Mulley

Trowers & Hamlins LLP
Elizabeth is a Senior Associate in Trowers & Hamlins' Dispute Resolution and Litigation department, focusing on complex and high value commercial disputes with particular expertise in fraud disputes and investigations and cyber security breaches.

Elizabeth's expertise in fraud includes securing freezing injunctions both within the English jurisdiction and worldwide and tracing assets and the proceeds of fraud on a global scale. She is also experienced in assisting clients with internal fraud investigations as well as conducting extensive external fraud investigations for clients following complaints reported by whistleblowers. 

Elizabeth also assists clients to prepare for and navigate cyber security breaches if they fall victim. In connection with this, she also advises her clients on their compliance issues and steps to take to prevent fraud and cyber breaches including preparing full suites of financial crime policies and providing training to clients on the same.

Elizabeth acts for both private and public sector clients across a breadth of industry sectors in relation to national and international disputes including acting for businesses, charities, councils, housing associations, government bodies and private individuals.

Practice Areas

Panel

  • Contributing Author

Qualified Year

  • 2012

Experience

  • Cobbetts LLP (2010 - 2013)
  • DWF LLP (2013 - 2016)
  • Trowers & Hamlins LLP (2016 - Present)

Membership

  • Fraud Advisory Panel
  • Midlands Fraud Forum

Qualifications

  • BSc, Human Biology (2008)
  • GDL (2009)
  • LPC (2010)
  • LLB (awarded by College of Law) (2010)

Education

  • University of Birmingham (2005 - 2008)
  • College of Law (2008 - 2010)

2 Contributions by Elizabeth Mulley

EU cybersecurity duties and breach notification: key regimes (GDPR, NIS 2, CER, ePrivacy, EECC, PSD2, DORA, CRA, AI Act)—scope, reporting deadlines, sanctions and practical response guidance
PRACTICE NOTES
EU cybersecurity duties and breach notification: key regimes (GDPR, NIS 2, CER, ePrivacy, EECC, PSD2, DORA, CRA, AI Act)—scope, reporting deadlines, sanctions and practical response guidance
STOP PRESS This Practice Note sets out the law as it currently stands in legislative terms, but note that certain elements will be materially affected by the Digital Omnibus proposals issued on 19 November 2025 under the Commission’s ‘simplification’ programme. For further information and updates, see Practice Note: EU Digital Omnibus—tracker. It offers, by way of summary, a concise, high-level survey of EU cybersecurity legislation and regulation at EU level, with particular emphasis on: Regulation (EU) 2016/679, the EU General Data Protection Regulation (EU GDPR) Directive (EU) 2022/2555, the EU’s second Network and Information Systems Directive (NIS 2 Directive), which superseded and replaced Directive (EU) 2016/1148, the NIS Directive Directive (EU) 2022/2557, the EU Critical Entities Resilience Directive (CER Directive) Directive 2002/58/EC, the EU ePrivacy Directive Directive (EU) 2018/1972, the European Electronic Communications Code (EECC) Financial legislation, including Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), and Directive (EU) 2015/2366, the second EU Payment Services Directive (PSD2) Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA) Regulation (EU) 2024/1689, the EU AI Act These measures are explored in the context of: the entities that are required to comply with such rules within the EU...
EU Law
UK cybersecurity: security obligations, breach reporting and enforcement under UK GDPR, NIS, PECR, FSMA and PSTIA, with practical incident response guidance and forthcoming reforms
PRACTICE NOTES
UK cybersecurity: security obligations, breach reporting and enforcement under UK GDPR, NIS, PECR, FSMA and PSTIA, with practical incident response guidance and forthcoming reforms
FORTHCOMING CHANGE: On 12 November 2025, the Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) was laid before the House of Commons. The CSRB provides for amendments to the Network and Information Systems Regulations 2018 (SI 2018/506), notably widening their scope to cover data centres, managed service providers and large load controllers, and allowing regulators to identify ‘critical suppliers’. It overhauls incident reporting by creating a two‑stage process—an initial alert within 24 hours followed by a comprehensive report within 72 hours—and enlarges the definition of reportable incidents to capture a wider set of security compromises. The Secretary of State is also granted powers to make regulations concerning the security and resilience of network and information systems, to set a statement of strategic priorities for regulatory authorities, and to publish a code of practice. In addition, the CSRB confers powers to issue directions to regulated persons and regulatory authorities where threats present a risk to national security. To monitor the CSRB’s legislative progress, see Practice Note: The UK NIS Regulations—timeline. This Practice Note outlines the legal framework for cybersecurity—considering the entities that must adhere to those rules, their...
Information Law
Expert page AD
If you expected to see yourself on this page, click here.