DIRECTORATE-GENERAL FOR COMMUNICATIONS NETWORKS, CONTENT AND TECHNOLOGY
Brussels, 26 May 2020
REV2 – replaces the notice (REV1) dated 12 March 2018
NOTICE TO STAKEHOLDERS
WITHDRAWAL OF THE UNITED KINGDOM AND EU RULES IN THE FIELD OF
SECURITY OF NETWORK AND INFORMATION SYSTEMS
Since 1 February 2020, the United Kingdom has withdrawn from the European Union and has become a “third country”.1 The Withdrawal Agreement2 provides for a transition period ending on 31 December 2020.3 Until that date, EU law in its entirety applies to and in the United Kingdom.4
During the transition period, the EU and the United Kingdom will negotiate an agreement on a new partnership, providing notably for a free trade area. However, it is not certain whether such an agreement will be concluded and will enter into force at the end of the transition period. In any event, such an agreement would create a relationship which in terms of market access conditions will be very different from the United Kingdom’s participation in the internal market,5 in the EU Customs Union, and in the VAT and excise duty area.
Moreover, after the end of the transition period the United Kingdom will be a third country as regards the implementation and application of EU law in the EU Member States.
Therefore, all interested parties, and especially economic operators, are reminded of the legal situation after the end of the transition period.
1 A third country is a country not member of the EU.
2 Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, OJ L 29, 31.1.2020, p. 7 (“Withdrawal Agreement”).
3 The transition period may, before 1 July 2020, be extended once for up to 1 or 2 years (Article 132(1) of the Withdrawal Agreement). The UK government has so far ruled out such an extension.
4 Subject to certain exceptions provided for in Article 127 of the Withdrawal Agreement, none of which is relevant in the context of this notice.
5 In particular, a free trade agreement does not provide for internal market concepts (in the area of goods and services) such as mutual recognition, the “country of origin principle”, and harmonisation. Nor does a free trade agreement remove customs formalities and controls, including those concerning the origin of goods and their input, as well as prohibitions and restrictions for imports and exports.
After the end of the transition period, the EU rules in the field of security of network and information systems, in particular Directive (EU) 2016/11486, no longer apply to the United Kingdom. This has in particular the following consequences:
Article 16 of Directive (EU) 2016/1148 imposes on digital service providers7 some requirements on security and incident notification. In accordance with Article 17 of Directive (EU) 2016/1148, these requirements are subject to ex post supervisory control by the relevant national competent authorities designated under Article 8 of Directive (EU) 2016/1148. Article 18 of Directive (EU) 2016/1148 provides for the rules on the jurisdiction for such supervisory activity:
• Where a digital service provider is established in the Union, it will be, pursuant to Article 18(1) of Directive (EU) 2016/1148, subject to the jurisdiction of the Member State where it has its main establishment, which in principle corresponds to the place where the provider has its head office in the Union.8
• Where a digital service provider is not established in the Union but offers digital services into the Union, it must, in accordance with Article 18(2) of Directive (EU) 2016/1148, designate a representative in the Union. Pursuant to Article 4(10) of Directive (EU) 2016/1148, a representative means any natural or legal person established in the Union explicitly designated to act on behalf of a digital service provider not established in the Union with regard to the latter’s obligations under this Directive. The designation of a representative by the digital service provider is without prejudice to legal actions which could be initiated against the digital service provider itself, as provided for under Article 18(3) of Directive (EU) 2016/1148.
After the end of the transition period, a digital service provider subject to the jurisdiction of the United Kingdom before the end of the transition period because its main establishment in the EU was in the United Kingdom may be subject to the following:
• If the digital service provider maintains one or several establishments in the EU Member States, it will be deemed to be under the jurisdiction of the EU Member
6 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, p.1.
7 Directive (EU) 2016/1148 defines “digital service provider” as any legal person that provides a digital service (cf. Article 4(6)).
The digital services covered by the Directive are online marketplace, online search engine and cloud computing services (cf. Article 4(5) and Annex III of Directive (EU) 2016/1148).
8 See also Recital (64) of Directive (EU) 2016/1148.
State where it has its main establishment in the EU, thus effectively resulting in a change of competent authority responsible for supervisory measures;
• If the digital service provider is no longer established in the EU but offers digital services into the EU, it will be subject to the obligation to designate a representative in an EU Member State in accordance with Article 18(2) of Directive (EU) 2016/1148, as described above.
Moreover, a digital service provider which provides services in the Union neither established in the EU nor in the United Kingdom but subject to the jurisdiction of the United Kingdom before the withdrawal date because it had designated a representative in the United Kingdom in accordance with Article 18(2) of Directive (EU) 2016/1148 will, after the end of the transition period, be subject to the obligation to designate a representative in an EU Member State where services are offered by that digital service provider in accordance with Article 18(2) of Directive (EU) 2016/1148.
Consequently, the national competent authority, as understood under Article 8 of Directive (EU) 2016/1148, of that Member State where the digital service provider concerned has either its main establishment or has designated a representative, will receive notifications of incidents taking place within the Union and will exercise ex post supervisory control.
The website of the Commission on EU rules on cyber-security (https://ec.europa.eu/digital-single-market/en/policies/cybersecurity) provides general information concerning Directive (EU) 2016/1148. These pages will be updated with further information, where necessary.
Directorate-General for Communications Networks, Content and Technology