The European Commission originally proposed the first EU-wide directive on Network and Information Security (NIS) alongside an associated cybersecurity strategy in 2013. The key priorities of this new cybersecurity strategy are:
- Achieve EU cyberresilience
- Reduce cybercrime in EU member states
- Develop a cyberdefence policy in line with the EU’s Common Security and Defence Policy (CSDP)
- Provide the necessary industrial and technological resources for strong cybersecurity capabilities
- Establish a comprehensive international cyberspace policy for all EU member states
Specific goals of the directive include improvements to cybersecurity provisions at a national level, developing powerful risk management and incident reporting systems, as well as creating a unified co-operation network across competent EU authorities. The European Parliament has adopted the directive, which is forecasted to be transposed into the laws of all EU member states by May 2018.
Following the Brexit referendum result, the extent to which the NIS directive will be implemented in the UK remains unclear. Whatever the outcome of discussions, operators of essential services as recognised by the UK government, and digital service providers with 50 employees or more, should start to prepare for the future consequences.
If the directive is transposed into UK law, organisations will need to introduce new measures to protect themselves against cybersecurity threats, and ensure the appropriate management systems are in place to report and deal with any cybersecurity incidents accordingly.
However, even if the UK government decides not to implement the directive before the UK leaves the EU, future compliance is still an important issue. Both essential service operators and digital service providers may still be liable in other EU member states. The directive will apply on an extraterritorial basis, such that digital service providers offering their services in Europe will be affected – even if those services are provided from the UK.
While these changes will be costly for organisations to put into effect, it will allow them to safeguard the trust of global customers and protect their reputation on an international level. The UK will need to prove it can still be considered to be a country with adequate data protection provisions. Consequently, the UK Data Protection Authority would be wise to encourage the UK government to comply with new EU data protection laws and cybersecurity strategy. With 10% of the UK’s 2015 GDP coming from digital service providers, this is not an issue to be ignored or underestimated.
At this point, it seems sensible to prepare your organisation thoroughly for the changes to come. Proceeding with the idea that the NIS directive will be implemented before the UK leaves the EU for good can only bolster and strengthen your cybersecurity capabilities in the long term.