UK – Cybersecurity Legislation in the UK

In The UK there are a few old and new Cybersecurity laws in place, being:

The Network and Information Security Directive 2016/1148 (NIS Directive) is due to be implemented in all member states of the European Union by 10 May 2018.

Because of the Brexit the UK has developed its own legislation and used the NIS Directive to create the Network and Information Systems Regulations 2018 (NIS Regulations) that came into effect on 10 May 2018 as a follow-up from the NIS Directive.

This new legislation is applicable to businesses that rely on IT systems in the following sectors: energy, transport, health, drinking water supply and distribution, digital infrastructure and online marketplaces, online search engines and cloud computing services, like in the Netherlands.

Businesses subject to the NIS Regulations should be familiar with the work of the National Cyber Security Centre (UK NCSC) in the UK and the guidance it publishes with respect to complying with the NIS Regulations. The UK NCSC also oversees the “cyber essentials” certification scheme. This is a government-backed and industry supported scheme that provides self-assessment certification to help organisations protect themselves against common cyber-attacks and aids compliance with the NIS Regulations. It includes a security questionnaire and external vulnerability testing to assist businesses in assessing their cybersecurity.  

A failure to meet the requirements of the NIS Regulations can result in enforcement action, including the imposition of significant penalties up to a maximum of £17 million.

The Dutch National Cyber Security Center (NL NCSC), acting on behalf of the Secretary of State of Safety and Justice (Minister van Veiligheid en Justitie), has created the National Cyber Security Strategy NL-NCSC not to be confused with UK-NCSC (National Cyber Security Centre, part of GCHQ – Government Communications Headquarters, one of the three UK Intelligence and Security Agencies, along with MI5 and the Secret Intelligence Service (MI6).)

From 25 May 2018 the General Data Protection Regulation 2016/679 (GDPR) became effective in the UK. It will remain directly effective for so long as the UK remains a member of the European Union. Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. One reason for this is the cross-over period between the GDPR coming into force and the UK exiting the EU. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements.