Brussels, 12 March 2018
NOTICE TO STAKEHOLDERS
SECURITY OF NETWORK AND INFORMATION SYSTEMS
The United Kingdom submitted on 29 March 2017 the notification of its intention to withdraw from the Union pursuant to Article 50 of the Treaty on European Union. This means that, unless a ratified withdrawal agreement1 establishes another date, all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET) (‘the withdrawal date’).2 The United Kingdom will then become a ‘third country’.3
Preparing for the withdrawal is not just a matter for EU and national authorities but also for private parties.
In view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement, stakeholders and particularly the operators potentially subject to the obligations of Directive (EU) 2016/1148 on the security of network and information systems4 are reminded of legal repercussions, which need to be considered when the United Kingdom becomes a third country.
Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, the EU rules in the field of security of network and information systems no longer apply to the United Kingdom.5 As of the withdrawal date, this has in particular the following consequences on digital service providers.6
1 Negotiations are ongoing with the United Kingdom with a view to reaching a withdrawal agreement.
2 Furthermore, in accordance with Article 50(3) of the Treaty on European Union, the European Council, in agreement with the United Kingdom, may unanimously decide that the Treaties cease to apply at a later date.
3 A third country is a country not member of the EU.
4 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
5 Member States are required to transpose the Directive (EU) 2016/1148 by 9 May 2018. They are also required to identify, by 9 November 2018, the Operators of Essential Services active in the sectors of energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure (cf. Article 5 for this obligation and Article 4(4) for a definition of Operators of Essential Services.
6 Directive (EU) 2016/1148 defines ‘digital service provider’ as any legal person that provides a digital service (cf. Article 4(6)).
Article 16 of Directive (EU) 2016/1148 imposes on digital service providers some requirements on security and incident notification. In accordance with Article 17 of Directive (EU) 2016/1148, these requirements are subject to ex post supervisory control by the relevant national competent authorities as understood under Article 8 of Directive (EU) 2016/1148. Article 18 of Directive (EU) 2016/1148 provides for the rules on the jurisdiction for such supervisory activity:
Where a digital service provider is established in the Union, it will be, pursuant to Article 18(1) of Directive (EU) 2016/1148, subject to the jurisdiction of the Member State where it has its main establishment, which in principle corresponds to the place where the provider has its head office in the Union.7
Where a digital service provider, is not established in the Union but offers digital services into the Union, it must, in accordance with Article 18(2) of Directive (EU) 2016/1148, designate a representative in the Union. Pursuant to Article 4(10) of Directive (EU) 2016/1148, a representative means any natural or legal person established in the Union explicitly designated to act on behalf of a digital service provider not established in the Union with regard to the latter’s obligations under this Directive. The designation of a representative by the digital service provider shall be without prejudice to legal actions which could be initiated against the digital service provider itself, as provided for under Article 18(3) of Directive (EU) 2016/1148.
As of the withdrawal date, a digital service provider subject to the jurisdiction of the United Kingdom before the withdrawal date because its main establishment in the EU was in the United Kingdom may be subject to the following:
If the digital service provider maintains one or several establishments in the EU27 Member States, it will be deemed to be under the jurisdiction of the EU27 Member State where it has its main establishment in the EU27, thus effectively resulting in a change of competent authority; If the digital service provider is no longer established in the EU27 but offers digital services into the EU27, it will be subject to the obligation to designate a representative in an EU27 Member State in accordance with Article 18(2), as described above.
Moreover, a digital service provider neither established in the EU27 nor in the United Kingdom but subject to the jurisdiction of the United Kingdom before the withdrawal date because it had designated a representative in the United Kingdom in accordance with Article 18(2) will, as of the withdrawal date, be subject to the obligation to designate a representative in an EU27 Member State where services are offered by that digital service provider in accordance with Article 18(2).
Consequently, the national competent authority, as understood under Article 8 of Directive (EU) 2016/1148, of that Member State where the digital service provider concerned has either its main establishment or has designated a representative, will receive notifications of incidents taking place within the Union and will exercise ex post supervisory control. The digital services covered by the Directive are online marketplace, online search engine and cloud computing services (cf. Article 4(5) and Annex III of Directive (EU) 2016/1148).
7 See also Recital (64) of Directive (EU) 2016/1148.
The website of the Commission on cyber-security (https://ec.europa.eu/digital-singlemarket/en/policies/cybersecurity) provides general information concerning Directive (EU) 2016/1148. These pages will be updated with further information, where necessary.
The Legal Materials contain European Union public sector information. EU public information is reproduced pursuant to Commission Decision of 12 December 2011 on the reuse of Commission documents (2011/833/EU) (the EU Decision)