The UK’s Brexit vote has thrown many businesses into uncertainty and doubt about whether they will have comply with the cyber security rules coming out of the EU
The European Parliament has adopted Network and Information Security (NIS) Directive, putting it on course to be transposed into European Union (EU) member states’ laws by May 2018. But with Brexit on the way, will UK businesses still have to comply?
The directive is the first EU-wide rule on cyber security and is aimed at achieving a high common level of security of network and information systems in the EU.
It will do this by improving cyber security capabilities at a national level, increasing EU-level co-operation and introducing risk management and incident reporting obligation for essential services and digital services.
Operators of essential services and digital service providers in EU member states will have to comply with a new set of technical requirements expected in August 2017 that are designed to achieve these goals, but it is not immediately clear to what extent UK firms will be affected due to the Brexit vote.
While the EU’s General Data Protection Regulation (GDPR) will become law in the UK on 25 May until it leaves the EU officially because it is a regulation, the same is not true for the NIS Directive. As a directive, it first needs to be transposed into local law of EU member states.
Technically, the UK is still likely to be a member of the EU in May 2018, but it is not yet clear if the UK will go to the trouble of transposing the NIS directive into UK law.
If it does, then operators of essential services identified by the UK government should start preparing now, as well as digital service providers with 50 or more employees, including providers of online market places, online search engines and cloud computing services.
These two groups of organisations will be required to take organisational and technical measures to protect against cyber threats to networks and information systems, and there will be reporting requirements following incidents.
The obligations imposed on digital service providers, however, are to be less onerous that those imposed on operators of essential services.