Data Protection & Cybersecurity
Last updated: 5 January 2018

Bird & Bird's EU Legislation Tracker highlights Regulations and Directives scheduled to take effect or to be implemented by Member States in the period prior to the UK's departure from the EU. It does not provide an exhaustive survey. Instead, we have sought to summarise some of the key legislation, both draft and finalised, which we are tracking in the run up to Brexit and which are likely to be of interest to companies which do business in the UK and/or elsewhere in Europe.

The Tracker includes a short commentary on the substance of each of the measures identified, and a timeline for their known or likely effective dates (for Regulations) or implementation deadlines (for Directives). These are colour coded by reference to the likely date of Brexit.

For the purposes of the Tracker, we have assumed that the UK will exit the EU two years from its service of the Article 50 notice (i.e. on 29th March 2019). However, a transitional period is expected to follow, until the end of 2020, during which the UK will be required to continue to align its laws with those of the EU Single Market and Customs Union. It is currently expected that the EU Withdrawal Bill will be enacted with effect from the exit date and that the resulting Act will retain all EU Regulations (and statutory instruments implementing EU Directives) in UK domestic law. However, the Act is also expected to enable amendments to such Regulations by statutory instruments during a two-years period, and this process will determine the final form, in UK domestic law, of such legislation now summarised in our Tracker.

Implementation status 
  Implementation deadline/effective date likely to be pre-Brexit
  Implementation deadline/effective date likely to be post-Brexit
Timeline EU legislation

Implementation deadline

9 May 2018

Network and Information Security Directive (NISD) (Directive (EU) 2016/1148)
  • Will introduce a framework of cyber security risk management for 'essential' and 'digital' service providers.
  • Regulated sectors will have to report cyber-attack incidents to a national competent authority in countries where they operate and adopt measures to manage security risks.
  • Likely to regulate energy, transport, banking, financial market infrastructure, health, water, cloud service and social media service providers amongst others.

Read more >


Takes effect:

25 May 2018

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • The EU's cornerstone data protection legislation 
  • Will replace Member State laws which implement the Data Protection Directive (95/46/EC).



Takes effect:

[Target is 25 May 2018?]

Draft: ePrivacy Regulation (Regulation on Privacy and Electronic Communications)
  • The EU's proposed refresh of laws which regulate e-marketing, cold calling, cookies/other tracking technology, location data, network security and other communications issues.
  • EC's draft Regulation published 10 January 2017.

Read more >

Bird & Bird's EU Legislation Tracker 
Aviation Data Protection & Cybersecurity HR and Employment Banking & Financial Services Intellectual Property Media Tax