Guidance

NIS Regulations – non-UK digital service providers operating in the UK

What organisations based outside the UK offering services in the UK must do to comply with the regulations covering the security of network and information systems.

The Network and Information Systems (NIS) Directive provides legal measures to boost the overall level of network and information system security in the EU. The UK implemented the NIS Directive through the Network and Information Systems Regulations (2018). It applies to operators of essential services and Relevant Digital Service Providers (RDSPs).

Organisations based in the EU offering services in the UK

Because the UK is not an EU member state, by the end of March 2021 you must:

  • Appoint a representative in the UK
  • Confirm this in writing following the Information Commissioner’s Office (ICO) registration process
  • Comply with the NIS Regulations in the UK. You must do this even if you are already complying with the domestic law transposed from the NIS Directive in an EU Member State

Appoint a representative in the UK

The representative may act on your behalf in fulfilling your legal obligations and should be contactable by the ICO or NCSC. The representative will act on your behalf to fulfil your legal requirements under the NIS Regulations, including incident reporting. Your representative will act on your behalf with the ICO and the NCSC in the UK. Your representative will need to comply with UK law.

You should tell the ICO if any of the following apply:

  • you have a head office in an EU Member State
  • you have nominated a representative in an EU Member State
  • you are complying with with equivalent legislation in another country
  • you are operating network and information systems located outside the UK

Also, you should tell the ICO that you’re complying with equivalent legislation in another country or running network and information systems located outside the UK.

Further information

The European Commission issued the European Commission Notice to digital service providers in the UK and EU in the context of EU Exit.

The Commission Implementing Regulation pursuant Art 16(8) of NIS Directive lays down the rules for the implementation of the Directive in relation to security measures to be adopted by digital service providers.

Network and Information Systems Regulations 2018 are the domestic Regulations transposed by the United Kingdom.

The ICO’s Guide to the NIS Regulations provides further information.

Read the NIS Regulations for UK digital service providers operating in the EU

Published 31 December 2020
Share this article