Important update for UK Digital Service Providers post Brexit

The NIS implements an EU directive of the same name and is intended to establish a common level of network security across the EU, much in the same way that the General Data Protection Regulation implements a common level of data protection across the EU. Both regulations work in harmony together.

The NIS applies to two groups of providers, Operators of Essential Services, such as energy and transport providers, and Relevant Digital Service Providers (RDSPs).

An organisation is an RDSP if it is:

1. a Digital Service Provider, providing one or more of the following digital services:
   1. Online marketplace;
   2. Online search engines; and/or
   3. Cloud computing services.
2. A Digital Service Provider becomes an RDSP if it meets all of the following criteria:
   1. Has 50 or more staff, or a turnover or balance sheet of more than 10 million Euros per year;
   2. Is established in the UK, or has a nominated representative in the UK; and
   3. Offers services in the EU.

The guidance explains that ‘offering services in the EU’  includes circumstances where a Digital Service Provider uses a language or currency or permits a customer to order a service using a language generally used in one or more EU countries, or mentions customers in the EU.

Post Brexit, RDSPs that are based in the UK and offer services in the EU must comply with the law in that EU member state and must also appoint a representative in one of the EU member states where services are offered.

Appointing a representative is a formal written process, prescribed by the particular EU member state the services are provided in. The appointed representative will have to comply with the rules of that particular member state and will act on the RDSP’s behalf in dealing with that country’s regulators as and when required.

The Information Commissioner’s Office (ICO) regulates RDSPs in the UK. RDSPs must register with the ICO and notify the ICO that they have appointed a representative in an EU member state. The NIS also imposes obligations on RDSPs to have appropriate and proportionate security measures in place in order to minimise risks to the network and information systems that they use and there is a requirement to report incidents to the ICO, if the incident has a significant impact on the services provided.

The ICO has a range of enforcement powers, from issuing information and enforcement notices through to imposing penalty fines for non-compliance ranging up to a maximum of £17,000,000 for the most serious contraventions of NIS.

If you would like further advice on the reach and impact of NIS or any other assistance with aspects of Data and Information Law, please contact Joan.Pettingill@LuptonFawcett.Law or Ellie.Leatherday@LuptonFawcett.Law, members of our specialist Data Law Team who would be happy to help.

GOV.UK updated guidance: https://www.gov.uk/guidance/nis-regulations-what-uk-digital-service-providers-operating-in-the-eu-should-do-after-brexit