January 14, 2019

The European Parliament adopted the Security of Network and Information Systems Directive (2016/1148/EU) in July 2016. The NIS Directive provides legal measures to boost the overall level of network and information system security in the EU. It applies to operators of essential services and relevant digital service providers (RDSPs). The guidance refers only to RDSPs.

The NIS Directive was incorporated into national law via the Network and Information Systems Regulations 2018 in May 2018. Under the NIS Regulations, RDSPs are required to register with the ICO, and have appropriate and proportionate security measures in place to manage risks to the network and information systems that support their service.

Under the NIS Directive, a digital service provider that is not established in the EU, but offers services within the EU, has to designate a representative in the EU. The representative must be established in one of the EU Member States where the services are offered, and the digital service provider is deemed to be under the jurisdiction of the EU Member State where that representative is established.

Currently, a RDSP based in the UK and providing services in another EU Member State does not need to designate a representative in that EU Member State.

However, in the event of a “no deal” departure from the EU, RDSPs established in the UK that offer services in one or more EU Member States might be required to designate a representative in one of the EU Member States where they offer services. Currently, the Government does not know whether this will be required, saying that it may depend on the future agreements with each Member State of the EU. Nevertheless, the guidance states, “RDSPs must prepare for the eventuality that they will be required to designate a representative in an EU Member State where they offer services”.

The guidance explains that those affected are digital service providers that:

1. have 50 or more staff or a turnover of more than €10 million per year or a balance sheet total of more than €10 million per year; and
2. have their main establishment in the UK; and

• offer services in the EU.

The guidance then sets out the steps an RDSP will need to take in the event of a “no deal”. Essentially, RDSPs need to work out where their “main establishment” is based and exactly which countries they offer services in. To access the guidance, click here.