Brexit + Cybersecurity: What You Need to Know

Cooley Alert
June 30, 2016

On 23 June 2016, the people of the United Kingdom voted to leave the European Union. Read our initial Q&A on Brexit and Privacy. However, it is important to remember that (for now) the UK remains part of the EU and we must abide by the current and upcoming data protection and security legislation until we are told otherwise. Plus, ask yourselves this – is cybersecurity something you are willing to sacrifice?


What is it? The General Data Protection Regulation ("GDPR") is a Regulation by which the European Commission intends to strengthen and unify data protection for EU citizens. It is due to come into force on Friday 25th May 2018 (before the UK will be able to leave the EU).

What's at stake? It will overhaul data protection legislation across the EU, imposing much stricter obligations on data controllers and data processors (regardless of their location or establishment) that offer goods or services to EU citizens' or monitor EU citizens' personal data in some way. Further, the UK's data protection regulator, the Information Commissioner's Office ("ICO") has commented that it intends to push for the UK to adopt the GDPR, despite Brexit.

Key takeaway: In or out. The GDPR is here to stay.


What is it? The Network and Information Security Directive (aka "the Cyber Directive", "the NIS Directive" or the "NISD") is part of the EU's cybersecurity strategy aimed at tackling network and information security incidents and risks across the EU. It is important to note that it is a Directive, which means each Member State will have to draft implementing legislation in order for it to become law, unlike a Regulation (like the GDPR), which becomes law automatically.  On its current timetable, the NISD seems likely to enter into force this summer. Following this, Member States will have 21 months to implement this Directive into their national laws and a further six months to identify operators of essential services. Practically, this means the UK will have to begin to draft implementing legislation over the coming months, a serious challenge against the current political backdrop.

What's at stake? The NISD will impose new network security and reporting requirements on operators of essential services and digital service providers in the energy, transport, banking and healthcare sectors, as well as providers of key digital services like search engines and cloud computing. Most commentary on the NISD agrees that this is a piece of legislation the UK will want to (and should) keep. It is aimed at countering cyber risk on a pan-European scale, via building and planning requirements, exchange of information, cooperation and common security requirements.

Key takeaway: Cyber risk has no borders, so pan-EU cooperation is vital.  This is a welcome piece of EU red tape that is coming soon.

ePrivacy Directive

What is it? A proposal by European Commission to reform the current ePrivacy Directive by 2017. Essentially, it will aim to be consistent with the GDPR and the NISD.

What's at stake? Like for the NISD (as a Directive rather than a Regulation) each Member State can choose the form of national legislation the ePrivacy rules will take. Currently, rules on cookies, processing of location data and unsolicited marketing vary across the EU. The rules affect almost everyone from telecom operators and other service providers to public authorities, consumer associations, citizens, businesses, manufacturers and academics. The UK will have to decide what line it wants to take on ePrivacy.

Key takeaway: Could go either way, but it would be sensible for the UK to follow the EU's recipe when it comes to cookies and the like.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.