What organisations based outside the UK offering services in the UK must do to comply with the regulations covering the security of network and information systems.
The Network and Information Systems (NIS) Directive provides legal measures to boost the overall level of network and information system security in the EU. The UK implemented the NIS Directive through the Network and Information Systems Regulations (2018). It applies to operators of essential services and Relevant Digital Service Providers (RDSPs).
Organisations based in the EU offering services in the UK
Because the UK is not an EU member state, by the end of March 2021 you must:
- Appoint a representative in the UK
- Confirm this in writing following the Information Commissioner’s Office (ICO) registration process
- Comply with the NIS Regulations in the UK. You must do this even if you are already complying with the domestic law transposed from the NIS Directive in an EU Member State
Appoint a representative in the UK
The representative may act on your behalf in fulfilling your legal obligations and should be contactable by the ICO or NCSC. The representative will act on your behalf to fulfil your legal requirements under the NIS Regulations, including incident reporting. Your representative will act on your behalf with the ICO and the NCSC in the UK. Your representative will need to comply with UK law.
You should tell the ICO if any of the following apply:
- you have a head office in an EU Member State
- you have nominated a representative in an EU Member State
- you are complying with with equivalent legislation in another country
- you are operating network and information systems located outside the UK
Also, you should tell the ICO that you’re complying with equivalent legislation in another country or running network and information systems located outside the UK.
The European Commission issued the European Commission Notice to digital service providers in the UK and EU in the context of EU Exit.
The Commission Implementing Regulation pursuant Art 16(8) of NIS Directive lays down the rules for the implementation of the Directive in relation to security measures to be adopted by digital service providers.
Network and Information Systems Regulations 2018 are the domestic Regulations transposed by the United Kingdom.
The ICO’s Guide to the NIS Regulations provides further information.