Second report of Session 2021–22 Contents

3Cybersecurity: EU Strategy and revised Network and Information Systems Directive7

These EU documents are politically important because:

  • the Government acknowledges that the proposed Network and Information Systems Directive has the potential to invoke Article 13(4) of the Northern Ireland Protocol;8 and
  • as the Communication refers to a cybersecurity framework that the UK has maintained after EU Exit, it holds domestic relevance for the Government as it develops the UK’s own post-Brexit national cybersecurity strategy.

Action

  • Draw this Report chapter to the attention of the Digital, Culture Media and Sport Committee, the Home Affairs Committee, the Foreign Affairs Committee and the Defence Committee.

Overview

3.1The two documents under scrutiny concern a Commission Communication on the EU’s Cybersecurity Strategy for the Digital Decade and a related Directive on measures for a high common level of cybersecurity across the Union.

3.2The EU’s Cybersecurity Strategy for the Digital Decade was adopted on 16 December 2020. The document outlines the EU’s proposals and forthcoming interventions to bolster Europe’s collective resilience against cyber threats and safeguard citizens and businesses by ensuring trustworthy and reliable services and digital tools. The European Commission considers this as one of its top priorities.

3.3The second document under scrutiny is a proposal for a revision of the Network and Information Systems Directive (also known as the ‘NIS’ Directive). The proposal is based on the results of a review of the current iteration of the Directive.9

3.4The original NIS Directive entered into force in 2016. It places requirements on EU Member States to identify ‘Operators of Essential Services’ and ensure that they have appropriate and proportionate security measures in place to manage and mitigate any risks to their network and information systems, and to ensure the security of critical services that are important for the economy and wider society. The proposal under scrutiny would repeal the original NIS Directive and make amendments to its general framework by increasing its scope to add organisations from a range of further sectors to its list of ‘Operators of Essential Services’. By doing so, operators in these areas would become subject to an EU-wide regulatory regime.

3.5As the UK is no longer an EU Member State, it will not have to implement the proposed Directive. However, as the proposal refers to a framework that the UK has maintained after EU Exit, it retains domestic relevance.

3.6For further information on both EU documents and our initial assessment of their legal and political importance see our Fortieth Report of 2019–21.10

3.7In our Fortieth Report of Session 2019–21, we considered the Commission Communication and the accompanying proposed Directive, and deemed both to be politically important. We wrote to the Minister responsible for the documents, Parliamentary Under Secretary of State at the Department for Culture, Media and Sport (Matt Warman MP), requesting further information on the steps that the Government had taken/was going to take in light of the measures suggested by the Commission. Our letter principally focussed on the potential implications of the documents for UK law and policy, in particular, concerning Northern Ireland, and UK-based stakeholders. The Minister has since written in reply—dated 7 April—and his response is considered below.11

The Minister’s letter of 7 April 2021

3.8In our letter of 17 March 2021, we noted that the Government’s Explanatory Memorandum (EM) highlighted elements of the Commission’s proposed NIS Directive as having the potential to be raised with the UK by the EU under Article 13(4) of the Northern Ireland Protocol. Article 13(4) stipulates that in the event of the EU adopting a new Act that falls within the scope of the Protocol, the Withdrawal Agreement Joint Committee will decide whether Northern Ireland also has to adopt the new rules. If a decision cannot be reached, alternative measures to ensure the continued good functioning of the Protocol will be explored. We asked the Minister to provide further information on the likelihood of this transpiring and, were it to, what impact this could have on Government policy for the UK’s own cybersecurity strategy.

3.9In response, the Minister notes that, as stated in its EM, the Government does not foresee any issues arising under Article 13(4) of the Northern Ireland Protocol. The Minister recalls that Article 13(4) is only relevant where the Union adopts a new act that falls within the scope of this Protocol and that, while the NIS Directive governs the security requirements of operators of essential service and digital service providers, this is not covered by the provisions of the Northern Ireland Protocol on customs, tariffs, or trade. As a result, the Minister believes that any potential impact on the UK’s own cybersecurity strategy would be very low.

3.10We also drew attention to Part 4 of the UK/EU Trade and Cooperation Agreement (TCA) providing scope for future cooperation between the UK and the EU in the cybersecurity field. In light of this, we asked the Minister to provide further information on how the UK might potentially interact with new and existing bodies outlined in the EU’s Cybersecurity Strategy, such as its NIS Cooperation Group and Joint Cyber Unit, as well as the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) and the EU Agency for Cybersecurity (ENISA).

3.11In response, the Minister acknowledges that Part 4 of the TCA allows for the UK to cooperate with the EU on cyber security through the activities of the Computer Emergency Response Team (CERT-EU), and some activities of the NIS Cooperation Group, and ENISA (albeit that the UK’s participation in these fora is voluntary, by invitation or request, and agreement on suitable working arrangements for these groups). The Minister explains that the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) is being established to coordinate incident response among EU Member States and EU institutions in particular and, that at the time of writing, the Joint Cyber Unit has yet to be set up. The Minister, therefore, notes that, in light of this, and lacking any further information in regard to the possibility of international cooperation with these two organisations, the Government does not have any plans to engage at this time.

3.12We also asked for further information on how potential UK interaction with various EU bodies might affect continued UK participation in the Five Eyes intelligence alliance and ongoing cooperation with NATO allies in the field of cybersecurity.

3.13In response, the Minister states that the UK’s participation in any of the EU fora mentioned in its EM has no impact or bearing on the UK’s continued participation in the Five Eyes intelligence alliance nor does it affect its ongoing cooperation with NATO allies on cyber security.

3.14Finally, in our letter, we noted that, following the end of the post-Brexit transition period, the EU’s General Data Protection Regulation has been converted in the UK into retained EU law. In light of this, we asked the Minister to provide more information on how the UK’s core data protection principles, rights and obligations may evolve in 2021 and beyond.

3.15The Minister does not directly address this query. That said, the Government’s original EM and the Committee’s previous Report chapter into both EU documents highlights that the Government is in the early stages of developing the UK’s own post-Brexit cybersecurity strategy and that further announcements will be made later this year.

Action

3.16We draw this Report chapter to the attention of the Digital, Culture, Media and Sport Committee, the Home Affairs Committee, the Foreign Affairs Committee, and the Defence Committee.

7 Document (a)—Joint Communication to the European Parliament and the Council on the EU’s Cybersecurity Strategy for the Digital Decade; Council and COM number: 14133/20,—; Legal base: N/A; Department: Digital, Culture, Media and Sport; Devolved Administrations: Not consulted; ESC number: 41774. Document (b)—Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148; Council and COM number: 14150/20 + ADDs 1–6, COM(20) 823; Legal base: Article 114 TFEU, QMV, ordinary legislative procedure; Department: Digital, Culture, Media and Sport; Devolved Administrations: Not consulted; ESC number: 41773.

8 Article 13(4) of the Protocol states “Where the Union adopts a new act that falls within the scope of this Protocol, but which neither amends nor replaces a Union act listed in the Annexes to this Protocol, the Union shall inform the United Kingdom of the adoption of that act in the Joint Committee. Upon the request of the Union or the United Kingdom, the Joint Committee shall hold an exchange of views on the implications of the newly adopted act for the proper functioning of this Protocol, within 6 weeks after the request. As soon as reasonably practical after the Union has informed the United Kingdom in the Joint Committee, the Joint Committee shall either: (a) adopt a decision adding the newly adopted act to the relevant Annex to this Protocol; or (b) where an agreement on adding the newly adopted act to the relevant Annex to this Protocol cannot be reached, examine all further possibilities to maintain the good functioning of this Protocol and take any decision necessary to this effect. If the Joint Committee has not taken a decision referred to in the second subparagraph within a reasonable time, the Union shall be entitled, after giving notice to the United Kingdom, to take appropriate remedial measures. Such measures shall take effect at the earliest 6 months after the Union informed the United Kingdom in accordance with the first subparagraph, but in no event shall such measures take effect before the date on which the newly adopted act is implemented in the Union.”

9 European Commission, ‘Annexes to the Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive 2016/1148, SEC(20) 430 final, SWD(20) 344 final and SWD(20) 345 final.

10 Fortieth Report HC 229-xxxv (2019–21), chapter 1 (17 March 2021).




Published: 1 June 2021 Site information    Accessibility statement