Mind the Brexit gap in cyber security
Leaving the EU could mean a new cyber security regime for the UK – firms need to understand how the changes might affect them.
There will clearly be changes, not least that the UK is set to lose its seat on Europol’s management board and will no longer be able to shape European Union (EU) cyber security policy and regulation. However, there are many areas where it is still unclear what will change, so organisations will need to make sure they are aware of new developments, understand the implications for their business and respond quickly.
One area in doubt is the level to which EU cyber-related standards will continue to apply in the UK. For example, while the Network and Information Systems Regulations (NIS) , which is based on an EU directive, has now been put into law in the UK, some aspects of it require cross-EU cooperation, such as the participation in a Computer Security Incident Response (CSIR) team network. The nature of this cooperation will depend on the final deal between the UK and the EU.
The E-Privacy Regulation, which replaces the Privacy and Electronic Communications Regulations (PECR) , has yet to come into force, but may do so later this year and will have a one-year implementation period. Whether it will be implemented is likely to depend on a Brexit deal.
The EU has also proposed a new Cyber Security Act, but it is unlikely to be implemented before any transition period, although not being part of it could affect future information sharing between the UK and the EU. The real challenge is that if there is no deal, the UK may become a so-called third country, and this could raise concerns about UK standards which could have implications for UK organisations holding EU-related data.
Flow of personal data
The UK government has taken some action to address these uncertainties, including the recent ratification of Convention 108+, an agreement on robust data protection principles and rules signed by 25 other countries – 19 from Europe and six from the rest of the world.
This convention lets the signatory states share data, providing they implement its principles, which are aligned to the General Data Protection Regulation (GDPR). Although this does not remove the Brexit uncertainty, it will lessen the impact of a no-deal scenario and help to enable the continued flow of personal data.
Despite this move, organisations, especially those that trade in information between the UK and the EU, will need to take action to minimise any cyber security issues when trading with the EU and other countries.