Yes, the Network and Information Systems (NIS) Regulations remain fully applicable in the United Kingdom. Originally based on the European NIS Directive, the UK transposed these requirements into its own national legislation as the UK NIS Regulations 2018. Despite Brexit, these regulations have been retained and continue to ensure robust network and information system security within the UK. Therefore, the UK NIS Regulations remain in effect and enforceable post-Brexit.

The UK Network and Information Systems (NIS) Regulations 2018 apply to:

• Operators of Essential Services (OES): Organizations in sectors such as energy, banking, transport, health, water, and digital infrastructure.
• Digital Service Providers (DSPs): Including online search engines, online marketplaces, and cloud computing services.

These regulations apply to DSPs that:

• Provide at least one of the following services: an online search engine, an online marketplace, or cloud computing services.
• Do not meet the definition of a micro or small enterprise, meaning they have 50 or more employees and an annual turnover or balance sheet exceeding €10 million.

Note that if the DSP's head office is outside the UK, it is required to appoint a UK-based representative to comply with these regulations.

By ensuring these organizations implement robust security measures and report significant incidents, the UK NIS Regulations help maintain the resilience and security of critical services across the United Kingdom.

A Digital Service Provider (DSP) is any legal entity that offers digital services subject to the UK Network and Information Systems (NIS) Regulations 2018. It is important to note that not all digital services are subject to these obligations—only specific services are covered.

Online Marketplaces: An Online Marketplace is a platform that allows consumers and traders to conduct online sales or service contracts with traders. These marketplaces serve as the final destination for the conclusion of these contracts. For example, application stores that enable the digital distribution of applications or software programs from third parties are considered online marketplaces. However, the term does not include online services that function solely as intermediaries to third-party services through which a contract can ultimately be concluded.

Online Search Engines: An Online Search Engine allows users to perform searches of websites based on queries on any subject. This includes search engines that operate across all languages. However, search functions that are limited to the content of a specific website, even if provided by an external search engine, are not included under the UK NIS Regulations. Additionally, online services that compare the prices of particular products or services from different traders and then redirect users to preferred traders to purchase the product are also excluded.

Cloud Computing Services: Cloud Computing Services enable access to a scalable and elastic pool of shareable computing resources such as networks, servers, storage, applications, and services. To qualify as a cloud computing service under the UK NIS Regulations, the service must exhibit the following three properties:

• Scalable Resources: Resources can be flexibly allocated by the cloud service provider, regardless of their geographical location, to handle fluctuations in demand.
• Elastic Pool of Resources: Computing resources are provisioned and released according to demand, allowing for rapid increases or decreases in available resources based on workload.
• Shareable: Computing resources are provided to multiple users who share common access to the service. However, the processing is carried out separately for each user, even though the service is provided from the same electronic equipment.

Different business models such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) are included under the UK NIS Regulations. Additionally, hybrid models and other variations that meet the definition of enabling access to scalable, elastic, and shareable computing resources are also covered.

Exemptions: Small and Micro Businesses

• There is a general exemption for micro and small businesses under the UK NIS Regulations. If your digital service provider has:
• Fewer than 50 staff, and An annual turnover and/or balance sheet below €10 million,

you are not classified as a DSP and are exempt from NIS obligations. This exemption also includes sole traders. However, if your service is part of a larger group, you must assess whether the total staffing numbers and financial thresholds of the entire group exceed the small business exemption criteria.

Determining whether your company offers services in the UK involves assessing the markets you intend to target. Simply having a website accessible in English is not sufficient to establish this intent. Instead, consider the following factors:

• Use of UK-Specific Language or Currency: Offering services priced in GBP or providing content tailored to British English indicates an intention to serve UK customers.
• Ordering Capabilities: Allowing customers to place orders or access services specifically designed for the UK market suggests service provision within the UK.
• Marketing and Targeting Efforts: Directing marketing campaigns towards the UK or establishing customer support based in the UK are strong indicators of offering services in the region.

Yes, there are exemptions. If your company does not have an establishment in the UK but offers digital services within the UK, you are generally obliged to appoint a UK NIS representative under the UK Network and Information Systems (NIS) Regulations 2018. However, this obligation does not apply to:

• Small Enterprises: Companies employing fewer than 50 persons and with an annual turnover and/or annual balance sheet total not exceeding €10 million.
• Microenterprises: Companies employing fewer than 10 persons and with an annual turnover and/or annual balance sheet total not exceeding €2 million.

Therefore, if your company has fewer than 50 employees and an annual turnover and/or annual balance sheet total below €10 million, you are exempt from the requirement to appoint a UK NIS representative.

Under the UK Network and Information Systems (NIS) Regulations 2018, Digital Service Providers (DSPs) have several key obligations to ensure the security and resilience of their network and information systems when offering services within the United Kingdom:

Technical and Organisational Measures: DSPs must identify and implement appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems they use.

These measures should:

• Manage Risks: Address risks that could compromise the availability, authenticity, integrity, or confidentiality of data and services.
• Proportionality: Be appropriate to the potential impact of the risk, considering the state of the art and cost of implementation.
• Preventive Actions: Include measures to prevent cybersecurity incidents where possible.

Incident Management and Impact Minimisation

DSPs are required to:

• Prevent Incidents: Take steps to prevent incidents that could affect the security of their network and information systems.
• Minimise Impact: Implement measures to minimize the impact of any incidents that do occur, with the goal of ensuring the continuity of their digital services.
• Recovery Plans: Develop and maintain incident response and recovery plans to restore services promptly.

Incident Reporting

DSPs must notify the relevant authority when an incident occurs that has a substantial impact on the provision of their services within the UK:

• Notification Duty: Report incidents without undue delay to the Information Commissioner's Office (ICO).
• Content of Notification: Provide sufficient information to enable the ICO to determine the significance of the incident, including the nature of the incident, its impact, and any remedial actions taken.
• Collaboration: Cooperate with the ICO and the National Cyber Security Centre (NCSC) as necessary during investigations and incident management.

Appointment of a UK Representative

Under the UK NIS regulations, organizations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations. This representative is responsible for:

• Liaison Role: Serving as the point of contact for the ICO and other relevant UK authorities.
• Compliance Assurance: Ensuring the DSP meets all obligations under the UK NIS Regulations.
• Availability: Being accessible to the UK authorities for any inquiries or enforcement actions.

If your company is a Digital Service Provider (DSP) and exceeds the relevant thresholds, the applicable law under the UK Network and Information Systems (NIS) Regulations 2018 depends on where your company is established and where you offer your services:

• If your company has its head office in the UK: You are governed by the UK NIS Regulations 2018.
• If your company does not have its head office in the UK but offers services there: You are governed by the UK NIS Regulations 2018 and you must appoint a representative in the UK who will act on your behalf under UK jurisdiction.

In both cases, your company must comply with the UK NIS Regulations, implementing appropriate security measures and fulfilling all reporting obligations.

If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers certain digital services within the UK, you are required to appoint a UK representative under the UK Network and Information Systems (NIS) Regulations 2018.

According to the regulations:

• Designation of a Representative: Companies without a head office in the UK but offering certain digital services in the UK must designate a representative based in the UK. This representative will act on your company’s behalf to ensure compliance with the UK NIS Regulations.
• Impact of Brexit: Since Brexit, the European Union (EU) is now considered a "third country" from a UK perspective. As a result, if you are an EU-based company offering services in the UK but without a head office in the UK, you will need to appoint a UK representative.

Role of the Representative:

• Acts on behalf of your company regarding compliance with the UK NIS Regulations.
• Serves as the point of contact for relevant UK authorities.

By appointing a UK representative, your company ensures compliance with the UK NIS Regulations, contributing to the security and resilience of network and information systems within the United Kingdom.

If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers digital services within the UK, you are required under the UK Network and Information Systems (NIS) Regulations 2018 to appoint a representative in the UK. The requirements for appointing a UK NIS representative include:

• Confirmation in Writing: You must confirm the appointment of your UK representative in writing after completing the registration process with the Information Commissioner's Office (ICO).
• Representative's Compliance: Your representative must comply with UK law and act on your behalf in fulfilling your legal obligations under the UK NIS Regulations, including incident reporting.
• Accessibility: The representative should be readily contactable by the ICO and the National Cyber Security Centre (NCSC).

When nominating your UK representative, you should provide the ICO with information about:

• Your Company's Head Office: Whether you have a head office located outside the UK.
• Other Representatives: Whether you have nominated a representative in another country.
• Compliance with Other Legislation: Whether you are complying with equivalent network and information systems legislation in another country.
• Location of Systems: Whether you are operating network and information systems located outside the UK.

By providing this information, you help the ICO understand your company's structure and ensure effective communication. Appointing a UK representative ensures that your company adheres to the UK NIS Regulations, contributing to the security and resilience of essential digital services within the United Kingdom.

If your company does not have an establishment within either the EU or the UK but is offering their services to individuals in both regions, you will have to appoint both an EU and a UK representative in order to comply with all relevant legislation, which consists of EU law and its implementation in the Member States on one hand, and UK law on the other hand. Please note that your EU representative must be established in one of the Member States your services are being offered to. Your UK representative must be established in the UK.

Under the UK Network and Information Systems (NIS) Regulations 2018, organizations that fail to comply with their obligations can face substantial penalties. Non-compliant companies may be fined up to £17 million. The exact amount depends on factors such as the severity of the breach, the extent of the negligence, and the potential impact on network and information system security. Failure to appoint a UK NIS representative when required is also a serious offense. Organisations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations.

When appointing a representative under the UK Network and Information Systems (NIS) Regulations 2018, a Digital Service Provider (DSP) must explicitly designate the representative through a written mandate. This representative should be established in the United Kingdom and act as a local contact point, being readily accessible to relevant UK authorities like the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). The representative acts on behalf of the DSP regarding all legal obligations under the UK NIS Regulations, including incident reporting and liaising with authorities. They must comply with UK law and assist with any investigations or requests related to NIS compliance. By appointing a UK NIS representative, Digital Service Providers (DSPs) that do not have their head office in the UK ensure that they fulfil their legal obligations and contribute to the security and resilience of network and information systems within the United Kingdom.

Prighter ensures compliance by offering an end-to-end digital onboarding process where a Power of Attorney is generated and can be signed either online or on paper. We provide dedicated communication channels with the relevant UK authorities, such as the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), acting on your behalf to fulfill all legal obligations under the UK Network and Information Systems (NIS) Regulations 2018, including incident reporting and liaising with authorities.