The UK government has published new legislation and guidelines to help EU and UK Digital Service Providers deal with compliance under the NIS Directive and the UK NIS Regulations after Brexit.
What's the issue?
The NIS Directive 2016 deals with the security of network and information systems. As a minimum harmonisation Directive, each Member State has its own implementing legislation. In the UK, it's the NIS Regulations 2018.
The Regulations apply to operators of essential services and to Digital Service Providers ie anyone who provides one or more of these three types of digital service:
- Online marketplaces
- Online search engines
- Cloud computing services
And meets the following three criteria:
- 50 or more staff, or a turnover of more than €10m per year, or a balance sheet total of more than €10m per year.
- Its main establishment is in the UK or it has nominated a representative in the UK.
- It offers services in the EU.
When the UK leaves the EU, the Regulations need to change to ensure they continue to work, and relevant DSPs in the UK and the EU may need to take additional compliance steps. Most notably, they may need to appoint a representative to act on their behalf with regard to NIS compliance.
What's the development?
The government has enacted the draft Network and Information Systems (Amendment etc.) (EU Exit) (No.2) Regulations 2019 (Revised Regulations). They are stated as coming into force on the twentieth day after exit day but would most likely come into force at the end of any transition period. They amend the NIS Regulations to:
- Require DSPs with a head office located outside the UK but offering services in the UK, to appoint a representative as long as they are not small or micro enterprise businesses. These requirements will apply from three months after the Regulations come into force.
- Revoke the Cybersecurity Act which will be redundant after Brexit.
- Amend a drafting error in the schedule.
The Intellectual Property Office has published guidance for UK DSPs operating in the EU on compliance under the UK NIS Regulations and the NIS Directive (as implemented across the EU27). The guidance covers:
- How to identify whether they are caught by the NIS Regulations in the UK.
- The circumstances when a UK DSP will be considered to be offering services within the EU.
- How to meet compliance obligations when providing services in the EU, most notably appointing a representative.
- How UK DSPs are regulated.
Guidance has also been published for EU DSPs offering services in the UK.
What does this mean for you?
If you are a UK DSP offering services in the EU
After Brexit you must:
- Comply with the law in that EU Member State.
- Appoint a representative in one of the EU Member States where you offer services, in writing and following the formal process set by the country you are working in.
- Tell the ICO you have appointed a representative in another country.
If you are a non-UK DSP operating in the UK
After Brexit you will need to:
- Appoint a representative in the UK.
- Confirm this in writing following the ICO's registration process.
- Comply with the NIS Regulations even if you are already complying with domestic law in an EU Member State.
- Continue to comply with requirements for UK DSPs under the Regulations as revised.
The representative must be able to act on behalf of the DSP in relation to its obligations under the NIS Regulations and their identity must be communicated to the ICO. EU DSPs should also tell the ICO if they have a head office in an EU Member State, if they have nominated a representative in an EU Member State, if they are complying with the equivalent legislation in another country or are operating network and information systems outside the UK. These steps must be taken from three months of the Revised Regulations coming into effect.