18 November 2019
Radar - November 2019 – 1 of 2 Insights
The UK government has published new legislation and guidelines to help EU and UK Digital Service Providers deal with compliance under the NIS Directive and the UK NIS Regulations after Brexit.
The NIS Directive 2016 deals with the security of network and information systems. As a minimum harmonisation Directive, each Member State has its own implementing legislation. In the UK, it's the NIS Regulations 2018.
The Regulations apply to operators of essential services and to Digital Service Providers ie anyone who provides one or more of these three types of digital service:
And meets the following three criteria:
When the UK leaves the EU, the Regulations need to change to ensure they continue to work, and relevant DSPs in the UK and the EU may need to take additional compliance steps. Most notably, they may need to appoint a representative to act on their behalf with regard to NIS compliance.
The government has enacted the draft Network and Information Systems (Amendment etc.) (EU Exit) (No.2) Regulations 2019 (Revised Regulations). They are stated as coming into force on the twentieth day after exit day but would most likely come into force at the end of any transition period. They amend the NIS Regulations to:
The Intellectual Property Office has published guidance for UK DSPs operating in the EU on compliance under the UK NIS Regulations and the NIS Directive (as implemented across the EU27). The guidance covers:
Guidance has also been published for EU DSPs offering services in the UK.
After Brexit you must:
After Brexit you will need to:
The representative must be able to act on behalf of the DSP in relation to its obligations under the NIS Regulations and their identity must be communicated to the ICO. EU DSPs should also tell the ICO if they have a head office in an EU Member State, if they have nominated a representative in an EU Member State, if they are complying with the equivalent legislation in another country or are operating network and information systems outside the UK. These steps must be taken from three months of the Revised Regulations coming into effect.
18 November 2019