On 7 March 2019, the Network and Information Systems (Amendment etc.) (EU Exit) Regulation 2019 (Draft Regulations) were tabled in the UK Parliament. This legislation will amend the 2018 NIS Regulations, which implemented the Network and Information Systems Directive (EU) 2016/1148 in the UK.
As the Explanatory Memorandum to the Draft Regulations explains, the Draft Regulations will:
- remove the obligations imposed under the NIS Regulations on UK regulatory authorities and the National Cyber Security Centre (NCSC) to liaise, co-operate and share information with the European Commission and authorities in other Member States
- remove the duties on the NCSC and Information Commissioner's Office (ICO) to inform affected Member States if they receive a report for a security incident with cross-border impact. Further, the ICO will no longer have a duty to co-operate with, and assist, competent authorities in Member States where Relevant Digital Service Providers have their main establishment in the UK but their network and information systems are located in an EU Member State, or vice versa
- amend EU Regulation 2018/151 (the Implementing Regulation) to remove references to EU based services providers and to convert from Euros into sterling
- revoke Regulation (EU) No 526/2013, which establishes and confers functions on the European Union Agency for Network and Information Security (ENISA). ENISA is an EU body, and will be redundant in the UK as a result of the withdrawal of the UK from the EU.
So what does this mean for Operators of Essential Services (OEMs) or Relevant Digital Services Providers (RDSPs) in the UK? In terms of security and reporting obligations, there are no major changes for OEMs and RDSPs. However, following Brexit (subject to the terms of any deal) the UK's cyber security cooperation and information sharing practices with EU Member States and institutions will be on a voluntary basis. These practices will also, of course, be subject to the EU's willingness to engage with the UK.
Malicious cyber activity is rarely limited to a single nation, and investigations often require some element of cross-border response. Therefore, this would appear to be something of a step backward for the UK, as it is clear that EU-level co-operation is paramount for protection against, and detection of, large-scale cyber attacks. In time, these elements may be revisited once Brexit is resolved.
The Draft Regulations will come into force 20 days after exit day, and are available here.