UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit.

By Gail E. Crawford, Fiona Maclean, and Amy Smyth

Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and online marketplaces — that provide services into the UK to nominate a UK representative following Brexit. The representative will also have to be registered with the UK Information Commissioner’s Office (ICO).

Non-UK-based digital services providers will remain liable for breaches, notwithstanding the appointment of a representative. A representative will be required to act on behalf of a provider, but it is not currently clear whether a representative maybe be liable for a provider’s breach; whether the updated UK NIS Regulations will address this point explicitly remains to be seen.

As and when the UK ceases to be an EU Member State following Brexit, the requirement to appoint a representative will apply to EU-based service providers offering services into the UK. This approach mirrors the NIS Directive requirements applicable to digital services providers that are based outside the EU but offer services into the EU.

In alignment with the equivalent GDPR concept, the threshold for digital services providers “offering” (NIS Directive terminology) or “providing” (UK NIS Regulations terminology) services requires an element of actively targeting services to UK customers. Unlike the GDPR, the NIS Regulations also apply to services provided to companies. The government states that the requirement to appoint a NIS representative shall apply if the “head office” of the service provider is located outside the UK. This seems to indicate a difference to the GDPR approach, requiring the appointment of a representative under NIS even if the service provider has an establishment but not the “head office” in the UK.

For global digital businesses that are neither based in the EU or the UK but offer services in both markets, two representative appointments under NIS will be needed following Brexit — one in a relevant EU Member State and one in the UK. Organisations will have three months in which to appoint their UK legal representatives (the government has indicated that the clock will start ticking 20 days after the date of the UK’s exit from the EU), and can do so from within their own corporate groups, or through an external provider.

Financial penalties under the UK NIS Regulations are currently limited to breaches of core information security and breach response obligations. The UK government has not indicated whether specific sanctions will be introduced for failing to appoint a representative. The familiar issue of practical enforcement against non-EU organisations may also be on authorities’ radars. Even if a national representative is appointed, neither the NIS Directive nor the current UK NIS Regulations directly address whether sanctions may be effectively enforced against a representative for a non-EU digital services provider’s breach.

For more detail on other aspects of NIS and the impact of Brexit, please see Latham’s previous posts on Brexit and data transfers, Brexit and UK data privacy, and UK guidance on cybersecurity under NIS.