This article is part of the FERMA/AIRMIC joint Brexit Newsletter which is designed to give risk professionals unique insight into Brexit related risks and mitigation strategies.
The UK’s exit from the European Union (EU) will affect various aspects of cybersecurity law, Sarah Stephens from JLT Specialty explains the changes we can expect in both a Withdrawal Agreement and “no deal” Brexit scenario.
Network and Information Systems (NIS) Regulations
The UK Network and Information Systems (NIS) Regulations 2018 implement the EU Network and Information Systems (NIS) Directive and will continue to apply in both Brexit scenarios.
The UK NIS Regulations aim to ensure that operators of critical services in the UK are prepared to deal with the increasing number of cyber threats. They impose enhanced legal obligations on operators of “essential services” (OES’), including electricity, transport, water, energy and health. It also covers “relevant digital service providers” (RDSPs), who offer online search engines, online marketplaces or cloud computing services to persons within the EU.
When the UK departs the EU, RDSPs established in the UK who offer services in the EU, may be required to designate a representative in an EU Member State. In contrast, the law will apply much in the same way to OES’ pre- and post-Brexit.
Implications of a “no deal” Brexit on relevant digital service providers (RDSPs)
If you are an RDSP, the UK government has advised that in a “no deal” scenario you should consider:
- Where is your main establishment?
If your main establishment is in the UK and you offer services in the UK, you will need to register with the Information Commissioners Office (ICO) and comply with the NIS Regulations. No specific preparations are needed for the exit date.
If your main establishment is in an EU Member State, you are required to comply with the law in that state.
- If your main establishment is in the UK, do you offer services within the EU?
If you are a UK-based RDSP and offer services within the EU, you may be required to designate an established representative in the EU Member State where you offer services. You must also comply with the law in that state.
Your representative should act on your behalf, and it should be possible for supervisory authorities (e.g. the ICO in the UK) to contact your representative.
You should designate the representative by following the formal process set by the relevant EU Member State’s supervisory authority, stating that the representative will act on your behalf to fulfil your obligations under the NIS Directive, including incident reporting.
- Do you need to inform the ICO?
Yes – if your main establishment is in an EU Member State.
Yes – if you have designated a representative in an EU Member State.
Yes – if your network and information systems are located in one or more EU Member State.
Although the above reflects the current advice from the UK government, it is unknown whether this will be required, as it may depend on future agreements between the UK and each EU Member State. As usual with Brexit, it is a case of “watch this space”.
The general data protection regulation (GDPR) has been incorporated into UK law through the European Union (Withdrawal) Act 2018. In all Brexit scenarios, you must continue to comply with the strict security requirements for the protection of personal data, as well as increased breach notification requirements.
If you are based in the UK and do not have a branch, office or other establishment in the European Economic Area (EEA) post-Brexit, but offer goods or services to individuals in the EEA or monitor the behaviour of those individuals, you will need to appoint a representative in an EEA state where some of the individuals whose personal data you are processing are located.
Privacy and Electronic Communications Regulations
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is the UK legislation that implemented the EU’s e-Privacy Directive. PECR complements the GDPR and sets out more specific privacy rights regarding electronic communications. It will continue to apply in both a Withdrawal Agreement and “no deal” Brexit scenario.
The upcoming e-Privacy Regulation is unlikely to come into force before the exit date and therefore will not form part of UK domestic law. However, the UK is likely to pass domestic legislation equivalent to the e-Privacy Regulation in the future. As such, you should anticipate needing to comply with the e-Privacy Regulation once finalised, whatever the outcome of Brexit.
The UK’s exit from the EU may mean losing their seat on Europol’s management board – the EU’s agency for law enforcement cooperation. In this way, a “no deal” scenario may substantially weaken the UK’s ability to participate in complex cybercrime investigations.
Cyber security act
In December 2018, the European Commission adopted a proposal to introduce legislation, referred to as the ‘Cybersecurity Act’. This legislation would create an EU-wide cybersecurity certification framework for ICT products and services and establish a permanent EU Cybersecurity Agency.
Although it is unlikely that the Cybersecurity Act will come into force prior to the exit date, the UK government has stated its desire for the UK to maintain the broadest possible cooperation with the EU to address cybersecurity threats. As such, organisations should be wise to the possibility of an equivalent regime being introduced in the UK post-Brexit.
Watch this space
Of course, all of the above could change if an extension to the Article 50 deadline is agreed, allowing more time to negotiate a new Withdrawal Agreement. And there’s always the possibility of a second referendum.
Sarah Stephens is head of cyber & commercial E&O for the Europe, Middle East, and Africa (EMEA) Region at JLT Specialty.
For more information, please visit: https://www.jlt.com/insurance-risk/cyber-insurance
Read related articles from the FERMA-Airmic Brexit newsletter: