By Ross McKean (Partner, London) and Linzi Penman (Associate, Edinburgh)
With the annual cost of cybercrime and cyber espionage to the world economy estimated in the hundreds of billions of dollars and accusations from various Western governments and law enforcement agencies that a sustained campaign of cyber-attacks targeting democracy and critical infrastructure is being carried out in the West, there has been sustained pressure on legislators to toughen cyber laws.
The cybersecurity strategy for the European Union and the European agenda on security provide an overall framework for the numerous EU initiatives to improve cybersecurity and tackle cybercrime. This remains a key priority for the EU institutions which have repeatedly stated that the digital economy within the single market depends on trust in secure information networks and systems.
Progress was made at an EU level in 2016 with a view to bolstering cybersecurity across Europe, with the adoption of the Network and Information Security Directive which requires implementation by Member States on or before 9 May 2018. The Directive is the first EU-wide piece of legislation concerning cybersecurity with its core objectives being to:
- enhance cyber security at a national level,
- increase cooperation among Member States on the matter, and
- impose certain obligations aimed at improving cybersecurity on operators of ‘essential services’ (i.e. water, energy, transport, health, finance, banking, ISPs, DNS).
UK Position – DCMS implementation of NIS Directive
The UK Government advised last year that it is ‘taking stock of the EU referendum outcome and looking at what impact this might have, if any, on the UK Government’s plans for implementing the NIS Directive’. This coupled with reports that the UK Government may use access to UK intelligence services as a bargaining chip in the forthcoming Brexit negotiations and reports that GCHQ has concerns about the ability of its European equivalent organisations to keep secrets, had led some to question whether the NIS Directive would be implemented at all in the UK. However, Stuart Peters – the Head of EU Cyber Security Regulatory Policy – noted last week that the UK “will still be members of the EU in May 2018 when the Directive is due to come into force…. [and the] UK Government is therefore continuing to implement the Directive.”
As of yet, there are no official proposals as to how the UK will implement the NIS Directive, however the Department of Culture, Media and Sport notes that the government intends to submit its proposed plan by the end of February/beginning of March, with an impact assessment and public consultation planned to be conducted in April and June 2017, respectively.