The EU's digital resilience and cyber security-related legislative framework doesn't just impact EU businesses but will introduce significant requirements for those in the UK as well, to the extent that their products/services provided within the EU are subject to the new legislation. Much of the EU's framework is new or incoming and the scope is broad (in many cases applying to software offerings as well as other products and services). To continue doing business in the EU, UK businesses will need to include applicable EU legislation in their compliance strategies.
Establishing applicability
The obvious starting point will be to establish if the requirements of the EU legislation apply to the products/services being provided. Some recent EU legislation for UK businesses to consider include Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2), Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (CRA), and Directive (EU) 2022/2557 on the resilience of critical entities (CER) – see our article for more). Determining the scope of these regimes is not always straightforward, including territorial and personal scope. Many of these laws have UK parallels which cover similar if not identical ground, leading to an even more complex compliance burden for businesses caught by both regimes. The below table provides a high-level overview. .
| |
Application to in-scope products/services in the EU |
UK parallel |
| DORA |
Applies to a broad range of EU regulated financial services firms under various sub-sectors including banking, insurance, funds, financial markets infrastructure and a few others as referenced in Article 2. If UK financial services firms have group entities that are authorised by EU financial services authorities, they are likely to be in scope.
DORA also applies directly to those ICT providers that will be designated as 'critical' under the criteria set out in Article 31.
UK entities that provide "ICT services" to in-scope financial services firms and such designated "critical" ICT providers in Europe are also likely to be indirectly affected by the requirements.
|
Various similar requirements in the UK are established by the Financial Conduct Authority, Prudential Regulation Authority and Bank of England across various policy statements and guidance and depending upon the type of firm. e.g. the FCA's and PRA's requirements on Operational Resilience, alongside broader requirements in areas such as outsourcing.
The FCA, PRA and BoE UK have also introduced a UK Critical Third Party Regime.
The FCA is also consulting on further requirements relating to Operational Incident and Third Party Reporting.
|
| NIS2 |
Broadly, UK public or private entities in certain 'high criticality' and 'critical' sectors (listed in Annex I or II of the Directive) that meet the specified size threshold, and certain other entities regardless of their size, in each case which provide their services or carry out their activities within the EU will be in scope. There are also certain exclusions and provisions enabling Member States to apply the requirements more widely in certain cases.
|
The UK's Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) implement the original NIS Directive.
The Cyber Security and Resilience Bill aiming to strengthen essential public services and infrastructure against cyber criminals and state actors was announced in July 2024 and is expected to be introduced to Parliament in 2025.
|
| CER |
UK businesses may be identified as 'critical entities' by Member States, in which case, they will be in scope. When assessing whether or not an entity is critical, Member States will consider various factors, including whether or not the entity provides essential services within the relevant sectors (as defined in the Annex), whether it operates and has critical infrastructure located in the territory of that Member State, and how disruptive an incident would be to relevant essential services.
UK businesses identified as providing in-scope services in six or more Member States may also be designated as 'critical entities of particular European significance' under Article 17.
|
The UK does not currently have consolidated legislation addressing primarily physical risks to critical infrastructure.
Critical national infrastructure is also protected under the Critical National Infrastructure Framework. This framework is overseen by the government via various agencies including National Protective Security Authority.
In September 2024, the government designated data centres as critical national infrastructure, bringing these within the scope of the framework.
|
| CRA |
Applies to 'products with digital elements' made available on the EU market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network (second-hand products may be included). 'Products with digital elements' is very broad and includes certain software products, and remote data processing solutions of hardware products (including software components to be placed on the market separately). There are certain exceptions.
UK businesses making in-scope products available in the EU may be in scope, e.g. of obligations on manufacturers and distributors. Other parties in the supply chain such as EU importers and EU authorised representatives are also in scope.
|
The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) applies to relevant connectable products which can connect to the internet or other networks, and can transmit and receive digital data, and which are made available in the UK (most second-hand products will be excluded). Software (a) used for the purposes of, or in connection with, the operation of a relevant connectable product, (b) used by a person during, or in connection with, using a relevant connectable product, and (c) used for the purposes of providing a service to a person by means of a relevant connectable product is also in scope.
UK importers, manufacturers and distributors are caught.
|
Establishing relevant jurisdiction
NIS2 and the CER are Directives which are implemented into national Member State law. This means UK businesses caught by a Directive will need to establish which Member State regime is relevant to its in-scope products/services. In some cases, more than one Member State regime may apply.
For example, under NIS2, an in-scope organisation may be subject to the separate and concurrent jurisdiction of multiple Member States, depending on where it is established and where the in-scope products/services are provided. However, given the multijurisdictional nature of the services provided by certain digital services providers (DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms), jurisdiction for such providers will be established based on the provider's "main establishment", which is determined based on where decisions related to the cyber security risk management measures are predominantly taken (or if that cannot be determined, with reference to other factors such as cyber security operations or location with most employees).
The CER recognises that two or more Member States might house physically connected critical infrastructure (used when providing in-scope services) within their respective territories, and so, encourages the competent authorities of such Member States to consult one another, whenever appropriate, for the purpose of ensuring that the Directive is applied in a consistent manner.
This means many businesses will be monitoring developments in various jurisdictions.
Mapping compliance requirements
To avoid duplication of compliance efforts, it is important to understand which EU legislation applies to the in-scope products/services (and to what extent), and to look the similarities between the EU requirements and the UK equivalents with a view to streamlining compliance.
The EU regime is comprehensive but attempts to minimise duplication of themes in some areas. Certain sector-specific acts like DORA will take precedence over horizontal legislation like NIS2. Further, legislation is drafted to avoid repeating existing requirements, e.g. the CER does not cover cyber security requirements as these are addressed under NIS2.
As such, financial services entities in scope of DORA will generally not be subject to either NIS2, or certain provisions of the CER. However, providers of digital infrastructures services (such as data centres) subject to cyber security requirements under NIS2 may also be subject to the CER in respect of other physical risks to its operations, and to the CRA in respect of their supply chains.
Once the applicable EU requirements have been established, these will need to be mapped against the UK regime to identify overlaps. For example, action points for manufacturers and distributers of in-scope products under the CRA and the PSTIA have some similarities (although the PSTIA is somewhat narrower than the CRA).
UK businesses will also need to monitor developments in the UK as the pre-Brexit legislation is updated. For example, the NIS Regulations in the UK are set to be updated.
Although the requirements under the EU and UK regimes may be similar, there will be some key areas of divergence. For example, in respect of incident reporting requirements, UK businesses will need to understand which regulatory bodies must be informed in case of an incident under each applicable EU law and take account of differing compliance deadlines. See here for more.
Application throughout the supply chain
Both the EU and UK regimes set out various requirements that may need to be flowed down through the supply chain of the entity in scope. For example, DORA sets out extensive requirements around contractual terms that in-scope financial services firms will need to put in place with their ICT service providers, and some of these relate mapping supply chains connected to the relevant ICT services being provided and contractual terms to be flowed down through such supply chains (for more detail, see here). UK ICT service providers to such firms will need to identify their relevant supply chains and may need to rework their existing contractual terms with their suppliers to reflect DORA-specific contractual requirements of their in-scope EU financial service customers.
NIS2 also requires Member States to adopt policies addressing cyber security in the supply chain for ICT products and services used by in-scope entities for the provision of their services. As such, UK businesses might need to monitor the development of such policies in relevant jurisdictions to see how their supply chain contracting may be affected.
An integrated approach
Once it's clear which laws apply, and a mapping exercise has been carried out, taking into account the full supply chain, it should be easier for organisations to embed processes to ensure compliance with the full applicable regime. Please let us know if we can help with any of these steps.
