dc975 - Fotolia

UK business unlikely to dodge EU cyber security rules post-Brexit

The UK’s Brexit vote has thrown many businesses into uncertainty and doubt about whether they will have comply with the cyber security rules coming out of the EU

This article can also be found in the Premium Editorial Download: Computer Weekly: Giving fashion a digital makeover

The European Parliament has adopted Network and Information Security (NIS) Directive, putting it on course to be transposed into European Union (EU) member states’ laws by May 2018. But with Brexit on the way, will UK businesses still have to comply?

The directive is the first EU-wide rule on cyber security and is aimed at achieving a high common level of security of network and information systems in the EU.

It will do this by improving cyber security capabilities at a national level, increasing EU-level co-operation and introducing risk management and incident reporting obligation for essential services and digital services.

Operators of essential services and digital service providers in EU member states will have to comply with a new set of technical requirements expected in August 2017 that are designed to achieve these goals, but it is not immediately clear to what extent UK firms will be affected due to the Brexit vote.

While the EU’s General Data Protection Regulation (GDPR) will become law in the UK on 25 May until it leaves the EU officially because it is a regulation, the same is not true for the NIS Directive. As a directive, it first needs to be transposed into local law of EU member states.

Technically, the UK is still likely to be a member of the EU in May 2018, but it is not yet clear if the UK will go to the trouble of transposing the NIS directive into UK law.

If it does, then operators of essential services identified by the UK government should start preparing now, as well as digital service providers with 50 or more employees, including providers of online market places, online search engines and cloud computing services.

These two groups of organisations will be required to take organisational and technical measures to protect against cyber threats to networks and information systems, and there will be reporting requirements following incidents. 

The obligations imposed on digital service providers, however, are to be less onerous that those imposed on operators of essential services.

NIS Directive still likely to apply to UK business

But if the UK does not transpose the NIS Directive into law, does that mean UK firms falling into these two categories do not need to worry about it?

Not necessarily, according to Conor Ward, consultant at law firm Hogan Lovells. He said even though operators of essential services may well be off the hook for their UK operations, if they are considered to be essential in other member states, they will be caught there. 

Similarly, digital service providers that offer their services in Europe will be caught even if the services are provided from the UK as the directive, like the GDPR, will apply on an extraterritorial basis.

“It was drafted intentionally to catch overseas service providers, in particular providers from the US, that target EU citizens,” said Ward.

However, he said it remains to be seen if the directive has a disruptive effect on companies in the UK, which are generally better prepared than some of their European-based competitors.

“The big digital service providers tend to have pretty good security. It will be the medium-sized providers of digital services that may be most affected,” said Ward.

Read more about the NIS Directive

One area Ward believes will affect all digital service providers is around the reporting obligation following a security breach. 

“If the UK government decides not to implement the directive, companies that provide services into Europe may still be required to report breaches,” he said. 

“They will need to appoint a representative in a member state and the digital service provider will be under the jurisdiction of the member state where the representative is established. This will at least give the service provider some opportunity to ‘forum shop’ or elect to be supervised in the most favourable jurisdiction.”

James Castro-Edwards, partner at Wedlake Bell, agreed that while the timing might suggest the provisions of the NIS Directive will no longer concern UK organisations, this is unlikely to be the case.

“The intended outcomes of the NIS Directive – namely increasing cyber security, imposing high levels of risk management and improving co-operation across member states – will no doubt continue to be of great concern to the UK,” he said.

For the purposes of the NIS Directive, a more unified approach to cyber security is key, according to Castro-Edwards. “While it is probable that specific provisions will differ slightly, it seems unlikely the UK would not wish to pursue this common goal,” he said.

Serious approach to NIS and GDPR needed

Nic Scott, managing director for the UK & Ireland at security firm Code42, said the NIS Directive and the GDPR are likely to apply to UK firms in the post-Brexit era as the UK continues to trade with and provide digital services in EU countries. 

This means the UK data protection authority should encourage UK politicians ​to take compliance with the NIS and GDPR very seriously, he added.

“After all, 10% of the UK’s GDP comes from the provision of digital services. This is not an insignificant chunk of the economy, and it definitely should be safeguarded against reels of red tape,” he said.

Scott said UK organisations should not be “sitting on the fence” to “see what happens”, but should instead be preparing for the changes coming in the European laws around data protection and cyber security.

“These changes are coming, so get prepared and make sure you’ve implemented a compliant security stack to protect your organisation to the best of your ability, from first-layer antivirus to last-line modern endpoint backup,” he said.

According to Adam Palmer, director of international government affairs at FireEye, research by the security firm shows that most organisations are not fully prepared to comply with the NIS Directive’s requirements for mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware.

“It is critical to react now to be in compliance and not be caught unprepared. In the wake of Brexit, in practical terms UK organisations should still look to be compliant with this new European legislative measure,” he said.

In the long-term, said Palmer, the UK will need to ensure it finds a way to be considered as a country with an adequate level of data protection, so that neither data storage or data transfer will prove problematic.

“The UK Data Protection Authority would also do well to encourage the UK government to align with EU data protection laws to safeguard the trust of global customers,” he said.

Read more on Hackers and cybercrime prevention