Overview
Delivering the deal negotiated with the EU remains the government’s top priority. This has not changed. However, the government must prepare for every eventuality, including a no deal scenario.
For 2 years, the government has been implementing a significant programme of work to ensure that the UK is prepared to leave the EU on 29 March 2019 (may also apply to new exit date on 31 December 2020). It has always been the case that as we get nearer to that date, preparations for a no deal scenario would have to be accelerated. We must ensure plans are in place should they need to be relied upon.
In the event of a ‘no deal’ departure from the EU, relevant digital service providers (RDSP) that wish to continue providing services into EU markets may need to designate a representative in one of the Member States in which they offer services. RDSP is defined later in this guidance.
Current situation (before 29 March 2019 (may also apply to new exit date on 31 December 2020))
The European Parliament adopted the Security of Network and Information Systems Directive (NIS Directive) on 6 July 2016. The NIS Directive provides legal measures to boost the overall level of network and information system security in the EU. It applies to operators of essential services and RDSPs. This guidance refers only to RDSPs.
The government incorporated the NIS Directive into national law via the the Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018. The Information Commissioner’s Office (ICO) is the competent authority in charge of regulating RDSPs in the UK. Under the NIS Regulations, RDSPs are required to register with the ICO, and have appropriate and proportionate security measures in place to manage risks to the network and information systems that support their service. RDSPs are also required to notify incidents to the ICO, where those incidents have a substantial impact on the provision of their service. Further details can be found on the ICO website.
Under the NIS Directive, a digital service provider that is not established in the EU, but offers services within the EU, shall designate a representative in the EU. The representative shall be established in one of the EU Member States where the services are offered, and the digital service provider shall be deemed to be under the jurisdiction of the EU Member State where that representative is established. As of December 2018, a RDSP based in the UK and providing services in another EU Member State doesn’t need to designate a representative in that EU Member
State.
Who is affected
You will be affected if you are a digital service provider that:
1. has 50 or more staff or a turnover of more than €10m per year or a balance sheet total of more than €10m per year; and
2. has its main establishment in the UK; and
3. you offer services in the EU.
Please read below for a definition of a digital service provider. More information and detail on these three criteria is also set out below.
Under the NIS Directive, digital services are:
● Online marketplaces: digital services that allow consumers and/or traders to conclude online sales or service contracts with traders either on the online marketplace website or on a trader’s website that uses computing services provided by the online marketplace.
● Online search engines: digital services that allow users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input and returns links in which information related to the requested content can be found.
● Cloud computing services: digital services that enable access to a scalable and elastic pool of shareable computing resources. More detailed descriptions of digital services can be found in the ICO Guide to NIS, the text of the NIS Directive, the Commission Implementing Regulation on Art 16(8) of NIS Directive, and the government response to the targeted consultation for digital service providers.
Digital service providers with fewer than 50 staff, and a turnover or balance sheet ofless than €10 million a year are exempt from the NIS Directive. A RDSP is a digital service provider that:
● has its main establishment in an EU Member State; or
● offers services in an EU Member State and has designated a representative in that EU Member State.
Establishment in an EU Member State implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary possessing legal personality, is not the determining factor in this respect. In principle, the ‘main establishment’ of a digital service provider corresponds to the place where the company has its head office. If you would like more clarification on any of these terms, please contact the ICO. A digital service provider ‘offers services’ within the EU if it is apparent that it offers, or is planning to offer, digital services to persons in one or more EU Member States.
A digital service provider plans to offer services within the EU if:
● the digital service provider uses a language generally used in one or more EU Member States;
● the digital service providers uses a currency generally used in one or more EU Member States;
● customers have the possibility to order services in a language generally used in one or more EU Member States; and
● the digital service provider mentions customers or users who are in the EU.
Implications for relevant digital service providers
In the unlikely event of a ‘no deal’ departure from the EU, RDSPs established in the UK that offers services in one or more EU Member States may be required to designate a representative in one of the EU Member States where they offer services. As of December 2018, it is unknown whether this will be required, and may depend on the future agreements with each Member State of the European Union.
RDSPs must prepare for the eventuality that they will be required to designate a representative in an EU Member State where they offer services. On exit from the EU in March 2019 in the event of a No Deal, you will need to take the following steps if you are a RDSP:
Step 1
● Ascertain where your ‘main establishment’ is in the UK or an EU Member State.
○ If your main establishment is in the UK, you must register with the ICO and comply with the NIS Regulations.
○ If your main establishment is in an EU Member State, you must comply with the law in that EU Member State.
Step 2
● If your main establishment is in the UK, find out whether you offer services within the EU. If you offer services within the EU, you may be required to designate a representative in an EU Member State where you offer services.
○ The representative must be established in an EU Member State where you offer services. When you designate the representative, you must comply with the law in that EU Member State.
○ Your representative should act on your behalf, and it should be possible for competent authorities (e.g. the ICO in the UK) and/or the computer security incident response teams of the relevant EU Member
State to contact the representative.
○ You should designate the representative in writing by a formal process set by the relevant EU Member State authority, stating that the representative will act on your behalf to fulfil your obligations under the
NIS Directive, including incident reporting. If a RDSP designates a representative in an EU Member State, it will be under the jurisdiction of the Member State where the representative is established. The RDSP would also be subject to UK law, if its main establishment is in the UK.
Step 3
● Inform the ICO if:
○ your main establishment is in an EU Member State;
○ you have designated a representative in an EU Member State; or
○ your network and information systems are located in one or more EU Member States.