Consultation outcome

NIS Regulations: Digital Service Providers (EU Exit) Call for Views

This was published under the 2016 to 2019 May Conservative government
This consultation has concluded

Read the full outcome

Detail of outcome

Detail of outcome

The Government received a small number of positive responses which were used to inform the development of the Government’s approach. The proposed requirement will be introduced through an amendment to the NIS Regulations, which will come into effect the twentieth day after Exit day. Under this new requirement, non-UK based DSPs that offer services in the UK must nominate a representative in the United Kingdom where the representative

  • can be any natural or legal person established in the United Kingdom, who is able to act on behalf of a digital service provider with regard to its obligations under the NIS Regulations;
  • must be nominated in writing;
  • must be contactable by the Information Commissioner or GCHQ for the purposes of ensuring compliance with the NIS Regulations;
  • is nominated without prejudice to any legal action which could be initiated against the nominating digital service provider; and
  • must be nominated within three months of the amendment coming into force, or within three months after the date on which a digital service providers falls in scope.

Digital service providers that nominate a representative in the UK will have to comply the NIS Regulations.


Original consultation

Summary

Following EU Exit, the UK proposes to introduce a requirement for non-UK based DSPs offering services in the UK to comply with the NIS Regulations.

This consultation ran from
to

Consultation description

Background

The Directive on security of network and information systems (the NIS Directive) provide legal measures to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential services and relevant digital services (online marketplaces, online search engines, cloud computing services). The NIS Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016.

The NIS Directive was transposed into UK domestic legislation on 10 May 2018 via the Networks and Information Systems Regulations 2018 (NIS Regulations). The NIS Regulations define digital service providers (DSPs) as organisations that provide online marketplace services, online search engine services, and/or cloud computing services. DSPs are in scope of the NIS Regulations if they have 50 or more staff, or a turnover or balance sheet of more than €10m per year. In the UK, the competent authority regulating digital service providers for the purpose of the NIS Regulations is the Information Commissioner’s Office (ICO).

Designation of representatives

Under the NIS Directive, DSPs whose head office is outside of the EU are required to designate a representative in one of the EU Member States in which they offer services. When a digital service provider designates a representative in an EU Member State it will need to comply with the domestic legislation implementing the NIS Directive in that Member State.

While the United Kingdom is a member of the EU, this requirement doesn’t apply to UK-based digital service providers. When the UK departs the EU, DPSs established in the UK that offer services in another EU Member State will be required to designate a representative in an EU Member State.

There is currently no requirement set out in the UK’s NIS Regulations for non-UK based DSPs that offer services in the UK to designate a representative in the UK.

Proposed approach

The Government is therefore proposing to introduce a requirement in the NIS Regulations, following the UK’s departure from the EU, for non-UK established DSPs offering services in the UK, whose size and activities would render them in scope of the NIS Regulations, to designate a representative in this country. The DSPs would then be required to comply with the NIS Regulations in the UK, and would be regulated by the ICO.

In line with existing requirements for DSPs already in scope of the NIS Regulations, non-UK based DSPs would be allowed three months in which to provide contact details of the designated representative and register with the ICO.

Call for views

The Government is seeking views on the proposed introduction of this requirement when the UK exits the EU.

We would welcome views and any supporting evidence on the costs and benefits of this proposal, as well as any views on the proposed three month timeframe to designate a representative and register with the ICO.

Please respond by 11.45pm on Tuesday 11 June.

Documents

Updates to this page

Published 16 April 2019
Last updated 24 July 2019 + show all updates
  1. We have published the Call for Views on the NIS Regulation

  2. First published.

Sign up for emails or print this page