NIS Regulations: Digital Service Providers (EU Exit) Call for Views
Read the full outcome
Detail of outcome
Detail of outcome
The Government received a small number of positive responses which were used to inform the development of the Government’s approach. The proposed requirement will be introduced through an amendment to the NIS Regulations, which will come into effect the twentieth day after Exit day. Under this new requirement, non-UK based DSPs that offer services in the UK must nominate a representative in the United Kingdom where the representative
- can be any natural or legal person established in the United Kingdom, who is able to act on behalf of a digital service provider with regard to its obligations under the NIS Regulations;
- must be nominated in writing;
- must be contactable by the Information Commissioner or GCHQ for the purposes of ensuring compliance with the NIS Regulations;
- is nominated without prejudice to any legal action which could be initiated against the nominating digital service provider; and
- must be nominated within three months of the amendment coming into force, or within three months after the date on which a digital service providers falls in scope.
Digital service providers that nominate a representative in the UK will have to comply the NIS Regulations.
Original consultation
Consultation description
Background
The Directive on security of network and information systems (the NIS Directive) provide legal measures to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential services and relevant digital services (online marketplaces, online search engines, cloud computing services). The NIS Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016.
The NIS Directive was transposed into UK domestic legislation on 10 May 2018 via the Networks and Information Systems Regulations 2018 (NIS Regulations). The NIS Regulations define digital service providers (DSPs) as organisations that provide online marketplace services, online search engine services, and/or cloud computing services. DSPs are in scope of the NIS Regulations if they have 50 or more staff, or a turnover or balance sheet of more than €10m per year. In the UK, the competent authority regulating digital service providers for the purpose of the NIS Regulations is the Information Commissioner’s Office (ICO).
Designation of representatives
Under the NIS Directive, DSPs whose head office is outside of the EU are required to designate a representative in one of the EU Member States in which they offer services. When a digital service provider designates a representative in an EU Member State it will need to comply with the domestic legislation implementing the NIS Directive in that Member State.
While the United Kingdom is a member of the EU, this requirement doesn’t apply to UK-based digital service providers. When the UK departs the EU, DPSs established in the UK that offer services in another EU Member State will be required to designate a representative in an EU Member State.
There is currently no requirement set out in the UK’s NIS Regulations for non-UK based DSPs that offer services in the UK to designate a representative in the UK.
Proposed approach
The Government is therefore proposing to introduce a requirement in the NIS Regulations, following the UK’s departure from the EU, for non-UK established DSPs offering services in the UK, whose size and activities would render them in scope of the NIS Regulations, to designate a representative in this country. The DSPs would then be required to comply with the NIS Regulations in the UK, and would be regulated by the ICO.
In line with existing requirements for DSPs already in scope of the NIS Regulations, non-UK based DSPs would be allowed three months in which to provide contact details of the designated representative and register with the ICO.
Call for views
The Government is seeking views on the proposed introduction of this requirement when the UK exits the EU.
We would welcome views and any supporting evidence on the costs and benefits of this proposal, as well as any views on the proposed three month timeframe to designate a representative and register with the ICO.
Please respond by 11.45pm on Tuesday 11 June.
Documents
Updates to this page
Published 16 April 2019Last updated 24 July 2019 + show all updates
-
We have published the Call for Views on the NIS Regulation
-
First published.