Network Info Systems 2021 UK Guidance

Guidance

NIS Regulations – what non-UK digital service providers operating in the UK should do from 1 January 2021

What organisations based outside of the UK offering services in the UK must do to comply with the regulations covering the security of network and information systems.

New rules for January 2021

The UK has left the EU, and the transition period after Brexit comes to an end this year.

This page tells you what you’ll need to do from 1 January 2021. It will be updated if anything changes.

Check what else you need to do during the transition period.

The Network and Information Systems (NIS) Directive provides legal measures to boost the overall level of network and information system security in the EU. The UK implemented the NIS Directive through the Network and Information Systems Regulations (2018). It applies to operators of essential services and Relevant Digital Service Providers (RDSPs).

Organisations based in the EU offering services in the UK

Because the UK is not an EU member state, by the end of March 2021 you must:

  • Appoint a representative in the UK
  • Confirm this in writing following the Information Commissioner’s Office (ICO) registration process
  • Comply with the NIS Regulations in the UK. You must do this even if you are already complying with the domestic law transposed from the NIS Directive in an EU Member State

Appoint a representative in the UK

The representative may act on your behalf in fulfilling your legal obligations and should be contactable by the ICO or NCSC. The representative will act on your behalf to fulfil your legal requirements under the NIS Regulations, including incident reporting. Your representative will act on your behalf with the ICO and the NCSC in the UK. Your representative will need to comply with UK law.

You should tell the ICO if any of the following apply:

  • you have a head office in an EU Member State
  • you have nominated a representative in an EU Member State
  • you are complying with with equivalent legislation in another country
  • you are operating network and information systems located outside the UK

Also, you should tell the ICO that you’re complying with equivalent legislation in another country or running network and information systems located outside the UK.

Further information

The European Commission issued the European Commission Notice to digital service providers in the UK and EU in the context of EU Exit.

The Commission Implementing Regulation pursuant Art 16(8) of NIS Directive lays down the rules for the implementation of the Directive in relation to security measures to be adopted by digital service providers.

Network and Information Systems Regulations 2018 are the domestic Regulations transposed by the United Kingdom.

The ICO’s Guide to the NIS Regulations provides further information.

Read the NIS Regulations – what UK digital service providers operating in the EU should do from 1 January 2021

Published 16 October 2020