The UK Government has recently published its 'Cyber Security Regulation and Incentives Review' in which it confirms that it will be implementing the European Network and Information Security Directive – more colloquially known as the Cyber Security Directive – regardless of Brexit.
The other key points raised in the government's review are:
- The Government will seek to improve cyber risk management principally through the implementation of the new General Data Protection Regulation (GDPR) due in force in May 2018. The GDPR will replace the Data Protection Act 1998 in the UK, though there are questions about how this might be put into effect post-Brexit: For more information read the briefing on Data Protection Law
- Further cyber security regulations, other than the GDPR and Cyber Security Directive, will not be implemented as they might overburden businesses and organisations
- The Government is placing the burden on organisations to manage their own risk in respect of sensitive data and their online presence. However, it is accepted that some businesses do not fully understand who is responsible for cyber security nor do they know which cyber security organisations they can trust.
Cyber Security Directive
The Cyber Security Directive was approved on 6 July 2016 by the European Parliament and is the main instrument that supports Europe's cyber resilience.
The primarily objectives of this Directive are to improve cyber security capabilities at national levels and increase EU-level cooperation.
The Directive achieves this by requiring operators of critical infrastructures and so-called digital service providers to adopt appropriate steps to manage security risks and to report serious incidents to the national competent authorities.
EU countries will have 21 months from the date the directive comes into force to implement the new EU legislation into national laws, and have a further six months to identify the operators of essential services with an establishment on their territory which would be subject to the new rules.
If you would like to read more about Cyber Security Directive you can click here.
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.