March 19, 2018
The Notice states that, subject to any transitional arrangement that may be contained in a possible withdrawal agreement, the EU rules in the field of security of network and information systems will no longer apply to the UK as of the withdrawal date.
Currently, Article 16 of Security of Network and Information Systems Directive (2016/1148/EU) imposes on digital service providers certain requirements on security and incident notification. Pursuant to Article 17, these requirements are subject to ex post supervisory control by the relevant national authority. Article 18 sets out the rules on the jurisdiction for such supervisory activity.
The Notice states that, as of the withdrawal date, a digital service provider subject to the jurisdiction of the UK before the withdrawal date because its main establishment in the EU was in the UK may be subject to the following:
- if the digital service provider maintains one or several establishments in the Member States of the EU27, it will be deemed to be under the jurisdiction of the Member State in which it has its main establishment, thus effectively resulting in a change of national authority; and
- if the digital service provider is no longer established in the EU27 but offers digital services into the EU27, it will be subject to the obligation to designate a representative in a EU27 Member State in accordance with Article 18(2).
Further, the Notice states, a digital service provider not established in the EU27 or in the UK, but subject to the jurisdiction of the UK before the withdrawal date because it had designated a representative in the UK in accordance with Article 18(2) will, as of the withdrawal date, be subject to the obligation to designate a representative in an EU27 Member State where the services are offered by that digital service provider in accordance with Article 18(2).
Consequently, the Notice states, the relevant national authority, as understood under Article 8, of that Member State where the digital service provider has either its main establishment or has designated a representative, will receive notifications of incidents taking place within the EU and will exercise ex post supervisory control. To read the Notice in full, click here.