Following the UK’s departure from the EU, the UK proposes to introduce a requirement in the NIS Regulations for specified non-UK based Digital Service Providers (DSPs) operating in the UK to designate a representative in this country that will be subject to the regulatory authority of the ICO.
The NIS Directive is EU-wide legislation that requires critical infrastructure organisations to implement stronger cyber security. The Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. The NIS Directive was transposed into UK domestic legislation on 10 May 2018 via the Networks and Information Systems Regulations 2018 (NIS Regulations). The Regulations apply to operators of essential services in the energy, transport, health, water, and digital infrastructure sectors, as well as to digital service providers (DSPs).
The NIS Regulations define DSPs as organisations that provide online marketplace services, online search engine services, and/or cloud computing services. DSPs are in scope of the NIS Regulations if they have 50 or more staff, or a turnover of more than €10m per year.
Designation of representatives
Under the NIS Directive, a DSP that is not established in the EU but offers digital services within the EU, must designate a representative in a Member State in which it operates, to be regulated by the relevant Competent Authority in that country.
When the UK leaves the EU it will become a third country under the NIS Directive. Therefore, UK established DSPs wishing to operate in the EU will be required to designate a representative in a Member State. They must comply with the regulations in that Member State and will be regulated by its relevant Competent Authority.
There is currently no requirement set out in the UK’s NIS Regulations for DSPs not headquartered in the UK to designate a representative here. This means that the ICO (as the relevant Competent Authority) would be unable to exercise the enforcement powers provided for in the NIS Regulations with regard to non-UK based DSPs operating here.
The Government is therefore proposing to introduce a requirement in the NIS Regulations, following the UK’s departure from the EU, for non-UK established DSPs operating in the UK, whose size and activities would render them in scope of the NIS Regulations, to designate a representative in this country.
The representative would be required to comply with the NIS Regulations in the UK, and would be regulated by the ICO.
In line with existing requirements for UK based DSPs coming into scope of the NIS Regulations, in scope non-UK based DSPs would be allowed three months in which to provide contact details of the designated representative and register with the ICO.
Call for views
The Government is seeking views on the proposed introduction of this requirement when the UK exits the EU.
We would welcome views and any supporting evidence on the costs and benefits of this proposal, as well as any views on the proposed three month timeframe to designate a representative and register with the ICO.
Please respond by 11.45pm on Tuesday 11 June.
Ways to respond
NIS Directive Team
Department for Digital, Culture, Media & Sport
100 Parliament Street