NIS Regulations: Digital Service Providers (EU Exit) Call for Views

Background

The Directive on security of network and information systems (the NIS Directive) provide legal measures to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential services and relevant digital services (online marketplaces, online search engines, cloud computing services). The NIS Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016.

The NIS Directive was transposed into UK domestic legislation on 10 May 2018 via the Networks and Information Systems Regulations 2018 (NIS Regulations). The NIS Regulations define digital service providers (DSPs) as organisations that provide online marketplace services, online search engine services, and/or cloud computing services. DSPs are in scope of the NIS Regulations if they have 50 or more staff, or a turnover or balance sheet of more than €10m per year. In the UK, the competent authority regulating digital service providers for the purpose of the NIS Regulations is the Information Commissioner’s Office (ICO).

Designation of representatives

Under the NIS Directive, DSPs whose head office is outside of the EU are required to designate a representative in one of the EU Member States in which they offer services. When a digital service provider designates a representative in an EU Member State it will need to comply with the domestic legislation implementing the NIS Directive in that Member State.

While the United Kingdom is a member of the EU, this requirement doesn’t apply to UK-based digital service providers. When the UK departs the EU, DPSs established in the UK that offer services in another EU Member State will be required to designate a representative in an EU Member State.

There is currently no requirement set out in the UK’s NIS Regulations for non-UK based DSPs that offer services in the UK to designate a representative in the UK.

Proposed approach

The Government is therefore proposing to introduce a requirement in the NIS Regulations, following the UK’s departure from the EU, for non-UK established DSPs offering services in the UK, whose size and activities would render them in scope of the NIS Regulations, to designate a representative in this country. The DSPs would then be required to comply with the NIS Regulations in the UK, and would be regulated by the ICO.

In line with existing requirements for DSPs already in scope of the NIS Regulations, non-UK based DSPs would be allowed three months in which to provide contact details of the designated representative and register with the ICO.

Call for views

The Government is seeking views on the proposed introduction of this requirement when the UK exits the EU.

We would welcome views and any supporting evidence on the costs and benefits of this proposal, as well as any views on the proposed three month timeframe to designate a representative and register with the ICO.

Please respond by 11.45pm on Tuesday 11 June.