The UK government has issued a call for views on the UK’s proposed approach to regulating non-UK based digital service providers operating in the UK under the Security of Network & Information Systems Regulations 2018 SI 2018/506 (NIS Regulations) after the UK leaves the EU.
Following the UK’s departure from the EU, the UK proposes to introduce a requirement in the NIS Regulations for specified non-UK based Digital Service Providers (DSPs) operating in the UK to designate a representative in the UK that will be subject to the regulatory authority of the ICO.
The NIS Directive is EU-wide legislation that requires critical infrastructure organisations to implement stronger cyber security. The Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. The NIS Directive was transposed into UK domestic legislation on 10 May 2018 via the NIS Regulations. The Regulations apply to operators of essential services in the energy, transport, health, water, and digital infrastructure sectors, as well as to digital service providers (DSPs).
The NIS Regulations define DSPs as organisations that provide online marketplace services, online search engine services, and/or cloud computing services. DSPs are in scope of the NIS Regulations if they have 50 or more staff, or a turnover of more than €10m per year.
Under the NIS Directive, a DSP that is not established in the EU but offers digital services within the EU, must designate a representative in a member state in which it operates, to be regulated by the relevant Competent Authority in that country.
When the UK leaves the EU it will become a third country under the NIS Directive. Therefore, UK established DSPs wishing to operate in the EU will be required to designate a representative in a Member State. They must comply with the regulations in that Member State and will be regulated by its relevant Competent Authority.
There is currently no requirement set out in the UK’s NIS Regulations for DSPs not headquartered in the UK to designate a representative in the UK. This means that the ICO (as the relevant Competent Authority) would be unable to exercise the enforcement powers provided for in the NIS Regulations with regard to non-UK based DSPs operating in the UK.
The Uk government is therefore proposing to introduce a requirement in the NIS Regulations, following the UK’s departure from the EU, for non-UK established DSPs operating in the UK, whose size and activities would render them in scope of the NIS Regulations, to designate a representative in the UK.
The representative would be required to comply with the NIS Regulations in the UK, and would be regulated by the ICO.
In line with existing requirements for UK based DSPs coming into scope of the NIS Regulations, in scope non-UK based DSPs would be allowed three months in which to provide contact details of the designated representative and register with the ICO.
The UK government is seeking views on the proposed introduction of this requirement when the UK exits the EU. It welcomes evidence on the costs and benefits of this proposal, as well as any views on the proposed three month timeframe to designate a representative and register with the ICO. The consultation ends on 11 June.