Guidance

NIS Regulations - what UK digital service providers operating in the EU should do from 1 January 2021

What you must do to comply with the regulations covering the security of network and information systems.

The UK has left the EU and the transition period after Brexit comes to an end this year.

This page tells you what you'll need to do from 1 January 2021. It will be updated if anything changes.

Check what else you need to do during the transition period.

The Network and Information Systems (NIS) Directive provides legal measures to boost the overall level of network and information system security in the EU. The UK implemented the NIS Directive through the Network and Information Systems Regulations (2018). The NIS Regulations apply to operators of essential services and Relevant Digital Service Providers (RDSPs). If you are unsure whether your organisation is an RDSP read the section Identify whether your organisation is a RDSP in the UK.

Organisations based in the UK offering services in the EU

You must:

  • comply with the law in that EU member state

  • appoint a representative in one of the EU member states where you offer services

Appoint a representative in the EU

You need to do this in writing, following the formal process set by the country you’re working in. You will need to state that you have designated a representative that may act on your behalf in order to fulfil those legal requirements.

Your representative may act on your behalf with the regulators and the teams responsible for investigating security incidents in the country you’re working in. The representative will be under the jurisdiction of the member state where you offer services and it should be possible for competent authorities to contact that representative.

You should tell the ICO that you have appointed a representative in another country.

We recommend that you start your engagement with the relevant member state before the end of 2020 to ensure a smooth transition.

Identifying whether your organisation is an RDSP in the UK

A digital service provider (DSP) is anyone who provides one or more of these three types of digital service:

  • online marketplaces

  • online search engines

  • cloud computing services

The NIS Directive became UK law via the NIS Regulations. Under the NIS Regulations, a digital service provider is a relevant digital service provider (RDSP) if it meets the following 3 criteria:

  • 50 or more staff, or a turnover of more than €10m per year, or a balance sheet total of more than €10m per year

  • its main establishment is in the UK or it has nominated a representative in the UK or EU

  • it offers services in the EU

Digital service provider are likely to be considered to be offering services within the EU if they:

  • use a language generally used in one or more EU countries

  • use a currency generally used in one or more EU countries

  • mention customers or users who are in the EU

  • customers can order services in a language generally used in one or more EU countries

Digital service providers with fewer than 50 staff, and a turnover or balance sheet of less than €10 million a year are exempt from the NIS Regulations and Directive.

More detailed descriptions of digital services can be found in the ICO Guide to NIS, the text of the NIS Directive, the Commission Implementing Regulation on Art 16(8) of NIS Directive, and the government response to the targeted consultation for digital service providers. Further information on identifying relevant Competent Authorities in EU Member States is available on State-of-play of the transposition of the NIS Directive, alongside their contact details to register.

How RDSPs are regulated in the UK

The Information Commissioner’s Office (ICO) is in charge of regulating RDSPs in the UK. Under the NIS Regulations, RDSPs must:

  • register with the ICO

  • have appropriate and proportionate security measures in place to manage risks to the network and information systems that support their service

  • notify incidents to the ICO, where those incidents have a substantial impact on the provision of their service

RDSPs based in the UK and providing services in other EU countries currently do not need to designate a representative in those countries while we remain a member of the EU.

Further guidance

NIS Regulations - read what non-UK digital service providers operating in the UK should do from 1 January 2021.

Published 16 October 2019