UK - How will the NIS Directive apply in the UK post-Brexit

On 7 March 2019, the Network and Information Systems (Amendment etc.) (EU Exit) Regulation 2019 (Draft Regulations) were tabled in the UK Parliament. This legislation will amend the 2018 NIS Regulations, which implemented the Network and Information Systems Directive (EU) 2016/1148 in the UK.

As the Explanatory Memorandum to the Draft Regulations explains, the Draft Regulations will:

remove the obligations imposed under the NIS Regulations on UK regulatory authorities and the National Cyber Security Centre (NCSC) to liaise, co-operate and share information with the European Commission and authorities in other Member States
remove the duties on the NCSC and Information Commissioner's Office (ICO) to inform affected Member States if they receive a report for a security incident with cross-border impact. Further, the ICO will no longer have a duty to co-operate with, and assist, competent authorities in Member States where Relevant Digital Service Providers have their main establishment in the UK but their network and information systems are located in an EU Member State, or vice versa
amend EU Regulation 2018/151 (the Implementing Regulation) to remove references to EU based services providers and to convert from Euros into sterling
revoke Regulation (EU) No 526/2013, which establishes and confers functions on the European Union Agency for Network and Information Security (ENISA). ENISA is an EU body, and will be redundant in the UK as a result of the withdrawal of the UK from the EU.

So what does this mean for Operators of Essential Services (OEMs) or Relevant Digital Services Providers (RDSPs) in the UK? In terms of security and reporting obligations, there are no major changes for OEMs and RDSPs. However, following Brexit (subject to the terms of any deal) the UK's cyber security cooperation and information sharing practices with EU Member States and institutions will be on a voluntary basis. These practices will also, of course, be subject to the EU's willingness to engage with the UK.

Malicious cyber activity is rarely limited to a single nation, and investigations often require some element of cross-border response. Therefore, this would appear to be something of a step backward for the UK, as it is clear that EU-level co-operation is paramount for protection against, and detection of, large-scale cyber attacks. In time, these elements may be revisited once Brexit is resolved.

The Draft Regulations will come into force 20 days after exit day, and are available here.

Content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. For more information, please visit: www.bakermckenzie.com/en/client-resource-disclaimer.

Register now for your free, tailored, daily legal newsfeed service.

UK - How will the NIS Directive apply in the UK post-Brexit

Filed under

Topics

Organisations

Popular articles from this firm

144A vs REG S Only- considerations in high yield offerings *

Belgium: Modification of medicines packaging to remove any "negative formulations" *

Data Protection Day - Key developments and trends for 2023 *

Singapore: Beauty salon provides undertaking to consumer watchdog to cease unfair trade practices *

The EU Pharmaceutical Package From a National Perspective: Member States’ First Reactions *

Related practical resources PRO

Related research hubs