Data Protection and Cybersecurity


Data Protection & Cybersecurity
Last updated: 5 January 2018

Bird & Bird's EU Legislation Tracker highlights Regulations and Directives scheduled to take effect or to be implemented by Member States in the period to the UK's departure from the EU. It does not provide an exhaustive survey. Instead, we have sought to summarise some of the key legislation, both draft and finalised, which we are tracking in the run up to Brexit and which are likely to be of interest to companies which do business in the UK and/or elsewhere in Europe. 

The Tracker includes a short commentary on the substance of each of the measures identified, and a timeline for their known or likely effective dates (for Regulations) or implementation deadlines (for Directives). These are colour coded by reference to the likely date of Brexit.

For the purposes of the Tracker, we have assumed that the UK will exit the EU two years from its service of Article 50 notice (i.e. 29th March 2019). Ultimately the UK's Great Repeal Bill will determine whether the UK will retain, implement, amend or repeal the legislation summarised in our Tracker and the date when this will happen.

Implementation status 
  Implementation deadline/effective date likely to be pre-Brexit
  Implementation deadline/effective date likely to be post-Brexit
Timeline EU legislation

Implementation deadline

9 May 2018

Network and Information Security Directive (NISD) (Directive (EU) 2016/1148)
  • Will introduce a framework of cyber security risk management for 'essential' and 'digital' service providers.
  • Regulated sectors will have to report cyber-attack incidents to a national competent authority in countries where they operate and adopt measures to manage security risks.
  • Likely to regulate energy, transport, banking, financial market infrastructure, health, water, cloud service and social media service providers amongst others.

Read more >


Takes effect:

25 May 2018

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • The EU's cornerstone data protection legislation 
  • Will replace Member State laws which implement the Data Protection Directive (95/46/EC).



Takes effect:

[Target is 25 May 2018?]

Draft: ePrivacy Regulation (Regulation on Privacy and Electronic Communications)
  • The EU's proposed refresh of laws which regulate e-marketing, cold calling, cookies/other tracking technology, location data, network security and other communications issues.
  • EC's draft Regulation published 10 January 2017.

Read more >

Bird & Bird's EU Legislation Tracker 
Aviation Data Protection & Cybersecurity HR and Employment Banking & Financial Services Intellectual Property Media Tax