Just 10 months will separate the introduction of new cybersecurity regulations in the UK from the country’s ultimate departure from Brussels – but the timing could not be better

Last week, the UK government issued its response to the public consultation on the NIS Directive – the first EU-wide cybersecurity legislation that all Member States must transpose into their national laws by May 9, 2018.

Although the final draft regulation is due to be published over the coming weeks, the government response laid out numerous forthcoming changes to the country’s cybersecurity law, which includes fines of up to £17 million for critical infrastructure organizations who fail to implement safeguards against cyber-attacks.

A new breach reporting system, the appointment of sector-specific cybersecurity regulators, and new measures to tackle IT threats, such as power outages, hardware failures, and environmental hazards, are also in the pipeline.

While the regulatory amendments have no doubt caught the attention of CISOs across the country, the implementation of the NIS Directive is, of course, taking place amid a much wider change: the UK’s forthcoming departure from the European Union.

It may seem ironic that the UK’s new, NIS-compliant cybersecurity regulation will be brought into law as the country itself prepares to leave the EU. But in reality, the timing could not be better.

Carbon copy

In October 2016, David Davis, the UK’s Secretary of State for Exiting the European Union, said the government would be working to “ensure there is no black hole” in its statute book once the country leaves the EU on March 29, 2019.

And indeed, as outlined in the European Union Withdrawal Bill, the laws and regulations made over the past 40 years while the UK was a member of the EU will continue to apply to the country, post-Brexit:


EU-derived domestic legislation, as it has effect in domestic law immediately before exit day, continues to have effect in domestic law on and after exit day.


Speaking to The Daily Swig via email this week, Stuart Peters, head of EU Cyber Security Regulatory Policy at the UK’s Department for Digital, Culture, Media, and Sport, confirmed there would be no disruption to the country’s cybersecurity laws after Brexit.

“The plans outlined in the government’s response, that build on the original consultation, will be adopted into the UK’s domestic legislation,” Peters said.

“A regulation will be submitted to Parliament in April in order to ensure that the Directive comes into effect from May 10, 2018.

“The legislation that we are proposing to submit to Parliament in April will remain in effect post-Brexit and will continue to apply within the UK.”

Secure pathway

The NIS Directive forms an important part of the UK government’s five-year National Cyber Security Strategy to protect the nation from cyber-threats.

The implementation of the new regulations will go a long way to helping the country shore up its defenses, but what’s equally important is that the UK will be leaving the EU with up-to-date cybersecurity laws that match the future vision of policymakers in Brussels (and the 27 Member States they represent).

Towards the end of last year, Home Secretary Amber Rudd said the UK will seek the “closest possible cooperation” with the EU on matters of security and law enforcement after Brexit.

Rudd’s comments echo the aims laid out in the country’s National Cyber Security Strategy, which states: “We will deepen existing links with our closest international partners, recognizing that this enhances our collective security. We will do this both bilaterally and multilaterally, including through the EU, NATO, and the UN.”

As cyber-attacks continue to grow in terms of both scale and sophistication, communication between nations is now more important than ever before.

If the EU measures were earmarked to be brought in after the UK departed from Brussels, the country risked a looming policy disjuncture, which would only serve to hinder future cybersecurity dialogue.

As it stands, however, the UK – as with all Member States – will sign its NIS Directive measures into law by May 9, 2018.

And although just 10 short months will separate this date from the country’s ultimate departure from Brussels, the implementation of the new cybersecurity laws will help ensure that the vital communication channels between the EU and Britain will remain open.