View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

The NIS Directive After Brexit: Gov’t Lays Out Plans

UK-based companies will need to designate a representative

By CBR Staff Writer

The British government says it plans to keep Europe’s  NIS (Networks and Information Systems) Directive in force after Brexit – and will require non-UK based Digital Service Providers (DSPs) to designate a representative in the UK.

The NIS Directive is Europe’s first cybersecurity legislation. It is enforceable as of May 2018 and imposes a minimum level of security for digital technologies, networks and services. Under the NIS Directive, DSPs with a head office outside of the EU are required to designate a representative in one of the EU Member States.

There is currently no requirement set out in the UK’s NIS Regulations for non-UK based DSPs that offer services in the UK to designate a representative in the UK specifically. The proposed changes amend this.

The requirements will come into force legally 20 days after Brexit.

The nominee must be “any natural or legal person established in the United Kingdom, who is able to act on behalf of a digital service provider with regard to its obligations under the NIS Regulations”. They must be contactable by the Information Commissioner or GCHQ for the purposes of ensuring compliance with the NIS Regulations.

The NIS Directive applies to organisations falling into two buckets: Operators of Essential Services –  energy, healthcare, transportation, drinking water, some financial services, and digital infrastructure; and Digital Service Providers – online search, online marketplaces, or cloud computing services.

Fines of up to £17 million can be levied on companies found to be in contravention of the directive. The legislation hasn’t caught the public imagination in the same way that GDPR has, nor has it yet resulted in the kind of proposed fines seen under GDPR, but has broadly been welcomed. Not is everyone a fan: critics have assailed the legislation for absolving hardware and software companies of responsibility for providing secure components to the kind of critical national infrastructure that the NIS covers.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

(As Jaya Baloo, the CISO of the Netherland’s KPN Telecom put it last year: “The NIS says hardware and software don’t need a cert. The NIS Directive sucks”.)

For UK-based companies unsure how to comply, the NCSC offers guidance.

See also: Best Practices for NIS Directive Compliance

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.