Implications of Brexit for cyber security

Is any new EU legislation expected to come into force and effect before the end of the transition period?

Certain key EU legislation has already come into force and effect, namely:

• the GDPR, which came into force on 25 May 2018 and has been supplemented in the UK through the Data Protection Act 2018; and
• the NIS Directive, which applies to operators of essential services and competent authorities and which was implemented in the UK through the NIS Regulations 2018 on 10 May 2018.

The E-Privacy Regulations, which replace the Privacy and Electronic Communications Regulations (PECR), have not yet come into force and effect. However, it is anticipated that the Regulations will be passed in late 2018 or early 2019, with a one year implementation period. On that basis, it is possible that the E-Privacy Regulations will come into force and effect during the transition period.

As we say above, the European Commission has also proposed a new “Cybersecurity Act”, along with legislation that would increase the scope and powers of ENISA. It is unlikely that these proposals will come into force and effect before the end of the transition period.

Is a new regulator needed, or do additional powers to be given to an existing regulator?

No new regulators will be required.

Under the GDPR (and the Data Protection Act 2018) and PECR, the ICO is the relevant regulator.

The NIS Regulations 2018 establish a number of “Competent Authorities” that have regulatory responsibilities for each relevant sector. The National Cyber Security Centre will be the “Single Point of Contact”, which is not a regulatory role but which will entail acting as the contact point for engagement with EU partners.

Is there an existing "equivalence" or "recognition" regime for recognising Third Country regulatory regimes?

There is no such regime for cyber security, but there is an existing “recognition” regime in relation to data privacy issues.

The European Commission can issue an “adequacy decision” in relation to a third country's data protection regime. To date, the European Commission has issued “adequacy decisions” to 12 countries.

The UK is seeking a bespoke arrangement with the EU that goes beyond the adequacy regime, but so far the EU has resisted anything other than the existing mechanism.

Does current UK government policy mean that (subject to the terms of a future trade agreement between the UK and the EU) material changes to regulation or enforcement are likely post-Brexit?

The government intends to preserve the GDPR, and has already made provision for doing so by bringing into force and effect the Data Protection Act 2018.

Whilst the NIS Directive has been implemented into law, some aspects of the NIS Regulations require cross-EU cooperation (such as the participation in a Computer Security Incident Response Team network), which will depend on any future deal between the UK and EU.

What should businesses be doing now to prepare for Brexit?

• Ensure compliance with all current EU legislation that is in effect and in force and understand the effect and implications of the E-Privacy Regulations once these come into force and effect.
• Monitor the proposals for the EU’s Cybersecurity Act, to ensure you understand how any legislation might affect you (bear in mind that EU legislation in this space may continue to be relevant, whether or not the UK implements that legislation post-Brexit).
• If your business processes data in relation to EU citizens but does not have an establishment elsewhere in the EU, consider how you would comply with your GDPR notification responsibilities in the event of a data breach.