On 7 July, the European Commission launched a consultation on a proposed revision of the Network & Information Systems Directive (Directive 2016/114), which could potentially lead to deeper harmonisation of cybersecurity law within the European Union.

Who does the NIS Directive apply to?

The NIS Directive, also known as the Cybersecurity Directive, was introduced to achieve high level harmonisation of the security of network and information systems within the EU.

The Directive is implemented in the UK through the 2018 NIS Regulations, which apply to operators of essential services (“OES”) such as energy and transport, as well as to certain digital service providers (“DSP”), including online market places and cloud service providers.

Both OES and DSPs are subject to certain security obligations to ensure that the security risks to which their network and information systems are exposed are managed by appropriate and proportionate security measures. Both categories of organisations are also required to notify their relevant authorities within 72 hours of becoming aware of any data security incident which has a significant impact on their services.

Why is the NIS Directive being reviewed?

The EU Member States have each adopted very different approaches when implementing the NIS Directives, leading to inconsistencies in the regulatory landscape, which further raises the concern that the level of protection of the essential network and information systems in the EU is insufficient.

The consultation is therefore expected to further inform the European Commission of how the NIS Directive has been implemented to date and what future changes may be required to address the existing concerns.

Implications for Brexit and the future of UK’s cybersecurity legislation

 The consultation will remain open until 2 October and the Commission is expected to introduce a new legislative initiative in the last quarter of 2020.

As the UK has left the European Union and the Brexit transition period would have lapsed when such new legislation does come into effect, it will be the UK’s decision to align its national law with the new EU cybersecurity legislation. 

If the UK choses to diverge from such EU regulations however, OES and DSPs operating in the UK and the EU will be required to comply with both cybersecurity legislation regimes.