Brexit cyber laws to impact major tech companies

Online marketplaces, online search engines and cloud computing service providers based outside of the UK but serving customers within the UK would be impacted by the proposed rules, which would amend the existing Network and Information Security (NIS) Regulations in the event of Brexit.

The NIS Regulations implement the EU's NIS Directive and took effect in May 2018.

The NIS rules are designed to ensure critical IT systems in central sectors of the economy are secure. Under the UK NIS regime, to 'digital service providers' (DSPs) – online marketplaces, online search engines and cloud computing service providers – face obligations to keep their networks and information secure and to notify certain security incidents to the Information Commissioner's Office (ICO).

In the case of DSPs, however, the UK NIS regime is only currently applicable to DSPs that have their head office in the UK. That would change under the government's proposed new regulations.

"This instrument will require digital service providers established outside of the UK but offering services within the UK to nominate a representative in the UK, and comply with the NIS Regulations," the government said in an explanatory memorandum issued alongside the proposed new regulations.

"The name and contact details of the representative must be provided to the information commissioner. The information commissioner or GCHQ should be able to contact the representative instead of, or in addition to, the digital service provider for the purposes of ensuring compliance with these Regulations," it said.

Without the changes, the information commissioner would be "unable to effectively regulate digital service providers based outside the UK but offering services within the UK which do not have their headquarters or a representative in the UK", the government said.

Cyber risk expert David McIlwaine of Pinsent Masons, the law firm behind Out-Law, said: "This amendment removes the 'headquarters lottery' aspect of the NIS regime, whereby a major technology company could avoid falling subject to the NIS rules altogether if it were not headquartered in the UK or EU and yet offers competing services in the jurisdiction."

The planned new regulations would also, if enacted, see the UK withdraw from an EU-wide cybersecurity certification framework post-Brexit. The creation of such a scheme is envisaged under a separate EU regulation, known informally as the Cybersecurity Act, which took effect earlier this year.

The government said last month that UK-based DSPs will need to appoint a representative in the EU under the NIS regime to avoid a potential fine in the event of a 'no deal' Brexit.

The NIS rules also apply to operators of 'essential services' in sectors such as banking, energy, health and transport.

A recent report by the Department of Health and Social Care (DHSC) highlighted how the NIS regime has helped to build cyber resilience in the health sector.

"The application of NIS in the healthcare sector is a good demonstration of regulatory levers being effectively used to increase compliance in NHS organisations and we will continue to develop policy that will allow us to make use of our regulatory levers to drive up standards of cybersecurity," DHSC said.

The department said it had already used its information-gathering powers under the NIS Regulations to obtain information from NHS Trusts where they have experienced network outages so as "to gain assurances that the Trusts have dealt quickly and effectively with technical issues and have sufficient plans in place to deal with such issues in the future".

It has also used its powers to bring "some of the most critical independent providers to the health and care sector" within the scope of the NIS regime, according to the report.

More broadly, the government has asked businesses to help it identify "barriers to taking action on cyber security, the information which would help organisations invest in cybersecurity, and what more organisations and government could do to stimulate more effective cyber risk management".

The call for evidence, opened by the Department for Digital, Culture, Media and Sport, is part of a review the government has undertaken on the topic of cybersecurity incentives and regulations.