As the UK moves glacially towards some form of Brexit, attention shifts towards EU cyber security regulations and the potential impact of Brexit on regulatory compliance of UK headquartered businesses.
What follows is based on information provided as part of the No Deal Brexit preparations by the UK Government. In the event of the new withdrawal agreement being fully ratified before Brexit, the UK will continue to operate as if still part of the EU during the implementation period, so the current arrangements will continue. It is also worth noting that the political declaration setting out the broad parameters for the future UK/EU relationship states in clauses 108-111 that it is intended that the UK will continue to participate in the EU institutions relevant to the Network and Information Systems (NIS) Directive. This may not go so far as to allow Digital Services Providers (DSPs) to avoid having a representative in either the UK or the EU if they do not have their business registered there. It also raises the consideration that the proposed new arrangements for Northern Ireland - to be implemented if the new UK/EU future relationship is insufficiently close to avoid a hard or any customs border - may raise the possibility that registration in Northern Ireland may satisfy the requirements of both the EU and the UK as described below.
In early October the Information Commissioner's Office (ICO) issued letters to all registered relevant digital service providers (RDSP). These letters alerted those RDSPs to the fact that the NIS Directive require DSPs who offer qualifying services within the Union to have a registered representative in a Member State. With the UK leaving the Union their current registrations at the ICO will no longer be adequate for NIS compliance and so RDSPs are encouraged, if they wish to offer digital services in the Union after Brexit, to designate a representative in an alternative Member State.
On the other hand, on 25 October the UK Government issued guidance to organisations based in the EU who offer digital services to the UK. Brexit will mean that non-UK DSPs wishing to continue to provide digital services to UK users must appoint a representative in the UK and must register with the ICO. As an aside, whilst the UK Government guidance is focused on EU-based DSPs, we presume that the core message should apply to any non-UK based DSPs offering a qualifying digital service in the UK.
What happens next? Guidance for the appointment of representatives
Taking the last point first, for non-UK DSPs the position is clear and the options limited. If they wish to carry on providing qualifying digital services in the UK they must appoint a representative in the UK.
For UK DSPs who wish to continue to provide qualifying digital services to Union countries the position is still clear, but there is an option attached. The need to appoint a representative in a Member State is the clear part while the option relates to which Member State to choose in which to designate the representative. Going back to the Directive the relevant provision states that the representative shall be established in one of the Member States where the services are offered. However, in the likely circumstances that a DSP offers services in multiple Member States then that may provide an option to elect.
The implementation of the NIS Directive by Member States has been far from uniform. As an example, the sanctions regime implemented in Croatia includes fines in the range EUR 20,000 – EUR 67,000 for failing organisations and Eur 2,000 – Eur 6,000 for responsible persons in the relevant organisation, whereas in the UK the most severe financial penalty for a defaulting Operator of Essential Services (OES) and/or a RDSP is set at £17m. With such significant differences, the local adoption of the NIS Directive should be evaluated when making the choice as to which Member State to appoint a representative in. Bird & Bird's NISD tracker can guide you in making that evaluation and our international team are also very happy to assist.
The NIS Directive set out to create a distinctly different jursidictional environment for DSPs. While OES are responsible for compliance with the local adoption of the Directive in each Member State where they meet the local OES thresholds, DSPs were intended only to have to adress the Directive as adopted in the Member State in which they had their main establishment, or, if not established in the EU, as relevant to their appointed representative.
With Brexit, both UK and EU DSPs who offer qualifying digital services in the UK and EU will be responsible for compliance and open to sanction for non compliance in the UK and another Member State.
The role of the representative
The exact role and responsibilities of a representative appointed by a DSP pursuant to the NIS Directive remains unclear. The UK Government guidance states that UK appointed representatives will act on behalf of the DSP in fulfilling the legal requirements under the NIS Regulations (the UK adoption of the NIS Directive). They will also need to interface with the ICO and the NSCS.
Where to look to for assistance?
The long established multidisciplinary Cyber team at Bird & Bird is on hand to assist in any aspect of support that may be needed in respect of cyber-security: from gap analyses and establishing resilience programmes to regulatory compliance and incident response.
If you would like assistance in determining whether you qualify as a relevant digital service provider or whether Brexit impacts you and how to respond please feel free to contact member of our international team.