What UK digital services providers must do to comply with the regulations covering the security of network and information systems.
The Network and Information Systems (NIS) Directive provides legal measures to boost the overall level of network and information system security in the EU. The UK implemented the NIS Directive through the Network and Information Systems Regulations (2018). The NIS Regulations apply to operators of essential services and Relevant Digital Service Providers (RDSPs). If you are unsure whether your organisation is an RDSP read the section Identify whether your organisation is a RDSP in the UK.
Organisations based in the UK offering services in the EU
- comply with the law in that EU member state
- appoint a representative in one of the EU member states where you offer services
Appoint a representative in the EU
You need to do this in writing, following the formal process set by the country you’re working in. You will need to state that you have designated a representative that may act on your behalf in order to fulfil those legal requirements.
Your representative may act on your behalf with the regulators and the teams responsible for investigating security incidents in the country you’re working in. The representative will be under the jurisdiction of the member state where you offer services and it should be possible for competent authorities to contact that representative.
You should tell the ICO that you have appointed a representative in another country.
Identifying whether your organisation is an RDSP in the UK
A digital service provider (DSP) is anyone who provides one or more of these three types of digital service:
- online marketplaces
- online search engines
- cloud computing services
The NIS Directive became UK law via the NIS Regulations. Under the NIS Regulations, a digital service provider is a relevant digital service provider (RDSP) if it meets the following 3 criteria:
- 50 or more staff, or a turnover of more than €10m per year, or a balance sheet total of more than €10m per year
- its main establishment is in the UK or it has nominated a representative in the UK or EU
- it offers services in the EU
Digital service provider are likely to be considered to be offering services within the EU if they:
- use a language generally used in one or more EU countries
- use a currency generally used in one or more EU countries
- mention customers or users who are in the EU
- customers can order services in a language generally used in one or more EU countries
Digital service providers with fewer than 50 staff, and a turnover or balance sheet of less than €10 million a year are exempt from the NIS Regulations and Directive.
More detailed descriptions of digital services can be found in the ICO Guide to NIS, the text of the NIS Directive, the Commission Implementing Regulation on Art 16(8) of NIS Directive, and the government response to the targeted consultation for digital service providers. Further information on identifying relevant Competent Authorities in EU Member States is available on State-of-play of the transposition of the NIS Directive, alongside their contact details to register.
How RDSPs are regulated in the UK
The Information Commissioner’s Office (ICO) is in charge of regulating RDSPs in the UK. Under the NIS Regulations, RDSPs must:
- register with the ICO
- have appropriate and proportionate security measures in place to manage risks to the network and information systems that support their service
- notify incidents to the ICO, where those incidents have a substantial impact on the provision of their service
NIS Regulations – read the guidance for non-UK digital service providers operating in the UK.