July 29, 2019
The European Parliament adopted the Security of Network and Information Systems Directive (2016/1148/EU) in July 2016. The NIS Directive provides legal measures to boost the overall level of network and information system security in the EU. It applies to operators of essential services and digital service providers (DSPs).
The NIS Directive was incorporated into national law via the Network and Information Systems Regulations 2018 in May 2018.
The NIS Regulations define DSPs as organisations that provide online marketplace services, online search engine services, and/or cloud computing services. DSPs are in scope of the NIS Regulations if they have 50 or more staff, or a turnover of more than €10 million per year.
Under the NIS Directive, a DSP that is not established in the EU, but offers digital services within the EU, must designate a representative in a Member State in which it operates to be regulated by the relevant Competent Authority in that country.
When the UK leaves the EU it will become a third country under the NIS Directive. Therefore, UK established DSPs wishing to operate in the EU will be required to designate a representative in a Member State. They must comply with the Regulations in that Member State and will be regulated by its relevant Competent Authority. However, there is currently no such requirement in the UK’s NIS Regulations. This means that the ICO (as the relevant Competent Authority) would be unable to exercise the enforcement powers provided for in the NIS Regulations with regard to non-UK based DSPs operating here.
The Government is therefore proposing to introduce a requirement in the NIS Regulations, following the UK’s departure from the EU, for non-UK established DSPs operating in the UK, whose size and activities would render them in scope of the NIS Regulations, to designate a representative in this country.
The representative would be required to comply with the NIS Regulations in the UK, and would be regulated by the ICO.
In line with existing requirements for UK-based DSPs coming into scope of the NIS Regulations, in scope non-UK based DSPs would be allowed three months in which to provide contact details of the designated representative and register with the ICO.
The Government sought views on its proposal. It received a small number of positive responses, which have been used to inform the development of the Government’s approach.
The Government says that the proposed requirement will be introduced through an amendment to the NIS Regulations, which will come into effect the twentieth day after Exit day. Under this new requirement, non-UK based DSPs that offer services in the UK must nominate a representative in the UK where the representative:
- can be any natural or legal person established in the UK, who is able to act on behalf of a digital service provider with regard to its obligations under the NIS Regulations;
- must be nominated in writing;
- must be contactable by the Information Commissioner or GCHQ for the purposes of ensuring compliance with the NIS Regulations;
- is nominated without prejudice to any legal action which could be initiated against the nominating digital service provider; and
- must be nominated within three months of the amendment coming into force, or within three months after the date on which a digital service provider falls in scope.
DSPs that nominate a representative in the UK will have to comply with the NIS Regulations. To read the Government’s response in full, click here.