Gemma Wilson looks at the consideration of the NIS Regulations and the key steps which need to be taken by businesses to ensure that they are prepared for what lies ahead after the transition period
In the UK, the NIS Regulations implemented the EU Network and Information Directive (NIS Directive), on 10 May 2018. This NIS legislation imposes obligations on operators of essential services and relevant digital service providers to report relevant network and information systems security incidents to the Government Communications Headquarters (GCHQ), who then liaise with the relevant authorities in the EU.
In light of Brexit, the Network and Information Systems (Amendments etc.) (EU Exit) Regulations 2019 make certain amendments to how cybersecurity in the UK will work going forwards.
Is this relevant to you and your business?
The NIS Regulations apply to operators of essential services and relevant digital service providers (RDSPR). In the travel industry, we will likely be more concerned with the RDSP element here.
You will be a relevant digital service provider if you:
- provide either an online search engine, an online marketplace or a cloud computing service;
- have your head office in the UK, or have nominated a UK representative; and
- have more than 50 staff and a turnover or balance sheet of more than €10 million.
What happens after 31 December 2020?
EU legislation will continue to apply to the UK until the end of the transition period. However after the transition period, the obligations imposed under the NIS Regulations on UK regulatory authorities to liaise, cooperate and share information on cyber issues with the relevant authorities in EU member states will fall away. Therefore, there will be two regimes to comply with – a UK regime if providing digital services in the UK and an EU regime if providing digital services in the EU.
If you’re a UK based RDSP who provides digital services to EU member states, you must:
- comply with the law in the relevant EU member state where you are offering services; and
- appoint a representative in one of the EU member states where you are offering services.
The second step must be done in writing, following the formal process set by the member state the RDSP is working in and set out that the RDSP has designated a representative that may act on its behalf in order to fulfil the requirements set out in the NIS Directive. The RDSP should also inform the UK’s ICO that it has appointed a representative in a member state.
There is no need to initiate this process until after the transition period, however we do recommend that you begin the process sooner rather than later – 2021 is (hopefully) going to be a busy year for all.
Offering Services in the EU
The phrase ‘relevant member state’ has been used above but there is no UK government guidance as to what a relevant member state is, or what business should be doing if they provide digital services in a number of member states.
There is more guidance in the European Commission’s Notice to Stakeholders on the Withdrawal of the UK and EU Rules in the Field of Security of Network and Information Systems, which is available here.
This guidance states that if the business is not established in the EU but offers digital services within the EU, it must designate a representative within the EU, in accordance with Article 18(2) of the NIS Directive. This reads as follows:
A digital service provider that is not established in the Union, but offers services referred to in Annex III within the Union, shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. The digital service provider shall be deemed to be under the jurisdiction of the Member State where the representative is established.
Therefore, there is no requirement to appoint a representative in each member state which you offer services, it is sufficient to have a representative in one member state. Of course, this cannot just be any member state – the general approach is that the appointed representative should be in the member state where you do the most business.
Offering services in the UK
Similarly, at the end of the transition period there will be a requirement for non-UK based RDSP’s to appoint a UK based representative, if you’re offering services within the UK.
Practical next steps
If you’re a UK based RSDP who provides digital services to EU member states, you should start to initiate the aforementioned process by determining the member state where you do the most business and appointing a representative in that member state.
Additional research by Sophie Brazier.