The British government says it plans to keep Europe’s NIS (Networks and Information Systems) Directive in force after Brexit – and will require non-UK based Digital Service Providers (DSPs) to designate a representative in the UK.
The NIS Directive is Europe’s first cybersecurity legislation. It is enforceable as of May 2018 and imposes a minimum level of security for digital technologies, networks and services. Under the NIS Directive, DSPs with a head office outside of the EU are required to designate a representative in one of the EU Member States.
There is currently no requirement set out in the UK’s NIS Regulations for non-UK based DSPs that offer services in the UK to designate a representative in the UK specifically. The proposed changes amend this.
The requirements will come into force legally 20 days after Brexit.
The nominee must be “any natural or legal person established in the United Kingdom, who is able to act on behalf of a digital service provider with regard to its obligations under the NIS Regulations”. They must be contactable by the Information Commissioner or GCHQ for the purposes of ensuring compliance with the NIS Regulations.
The NIS Directive applies to organisations falling into two buckets: Operators of Essential Services – energy, healthcare, transportation, drinking water, some financial services, and digital infrastructure; and Digital Service Providers – online search, online marketplaces, or cloud computing services.
Fines of up to £17 million can be levied on companies found to be in contravention of the directive. The legislation hasn’t caught the public imagination in the same way that GDPR has, nor has it yet resulted in the kind of proposed fines seen under GDPR, but has broadly been welcomed. Not is everyone a fan: critics have assailed the legislation for absolving hardware and software companies of responsibility for providing secure components to the kind of critical national infrastructure that the NIS covers.
(As Jaya Baloo, the CISO of the Netherland’s KPN Telecom put it last year: “The NIS says hardware and software don’t need a cert. The NIS Directive sucks”.)
For UK-based companies unsure how to comply, the NCSC offers guidance.