
UK NIS代理人って必要?
FAQでUK NISの概要、適用範囲、自社に代理人が必要かどうかをわかりやすく解説しています。
UK NISとは?
UK NIS規則(ネットワークおよび情報セキュリティ規則)は、重要サービスやデジタルインフラのサイバーセキュリティと耐障害性を向上させることを目的とした英国の法律です。
UK NISは、エネルギー、輸送、医療などの重要サービス事業者(OES)や関連するデジタルサービス提供者(RDSP)に、強固なセキュリティ対策と重大なサイバーインシデントの報告を求めています。目的は、重要サービスの継続性を確保し、サイバー脅威から英国のデジタル経済を守ることです。
NISは、サイバー攻撃や物理的インシデントなど多様なリスクに備え、技術的・運用的・組織的なサイバーセキュリティ対策を義務付けています。
UK NISに準拠することで、事業運営を保護し、耐障害性を強化。ステークホルダーを守り、サービスへの信頼を高められます。不遵守には最大1,700万ポンドの罰金が科される可能性があります。
UK NISは域外適用があり、英国国外に本社を置く企業でも、英国で事業を行う場合はNIS主管当局およびCSIRTへの連絡先として代理人を任命することを義務付けています。
信頼を確立し、リスクを最小化
Prighterを代理人にすれば、英国でサービスを安定して提供する姿勢を示せます。
いざというときも当局と連携し、トラブルを最小限に抑える準備ができます。
NIS代理人はPrighterにお任せ
PrighterはUK NIS代理人として御社のコンプライアンスを徹底支援。
罰金リスクを回避し、当局との確実な連絡手段を提供します。
かんたん・スピーディーに導入
PrighterがNIS主管当局への登録を代行。
代理人情報は御社サイトや契約書、ベンダー評価資料に利用でき、UK NIS代理人を任命済みであることをしっかり示せます。
信頼できる現地窓口を確保
サイバーセキュリティは重要課題。
Prighterなら、監督当局との必要なやり取りやインシデント報告を正確かつ丁寧に管理できます。
監督当局との連絡
PrighterはUK NISに関するあらゆる事項で、NIS監督当局やCSIRTへの正式な連絡窓口を務めます。
Authority Case Managementシステムにより、監督機関とのすべてのやり取りを見える化し、完全に管理。
インシデント報告
インシデント報告は代理人の重要な役割です。
Prighterの専門チームとIncident Managementシステムを活用することで、重大な場面でも確実に対応できます。
また、同じインシデントについてGDPR違反通知が必要な場合も、まとめて対応できます。
規制対応で事業成長を後押し
UK NISの適用対象であるということは、英国に重要なサービスを提供している証です。
コンプライアンスを確実に管理していることを示し、信頼を構築して営業活動を促進しましょう。
コンプライアンスをアピール
顧客、監督当局、その他重要なステークホルダーに、御社が信頼できるプロアクティブなパートナーであることを示しましょう。
ウェブサイトにPrighterコンプライアンスバッジを表示し、UK NIS代理人としてPrighterを任命したことを証明するコンプライアンス証明書を活用できます。
Trust Center
貴社専用のカスタマイズ可能なTrust Centerランディングページを提供。
セキュリティやコンプライアンスへの取り組みを効果的にアピールし、顧客の信頼を高めましょう。
プロフェッショナルによるサポート
経験豊富な専門家によるサービス設計と支援で、UK NIS関連の監督当局・CSIRTとの連絡もプロがしっかりサポートします。
オールインワンで解決
データセキュリティ、プライバシー保護、デジタルガバナンスは切り離せません。
Prighterとそのグローバルネットワークを活用すれば、あらゆるデジタルコンプライアンスニーズをまとめて解決できます。
ニーズに合わせて
コアサービスに加え、法務、技術、セキュリティの各分野に対応する専門サービスも用意。
専門家の知見と経験を活かして、デジタル規制の変化にも自信を持って対応できます。
情報ライブラリ
リーガルナレッジやガイドラインなど役立つ資料を社内チーム向けに提供。
Prighterがこれまで培った知見を活用し、自社のニーズに合わせてカスタマイズできます。
プロにお任せ
Prighterは頼れるパートナーとして御社をサポート。
個別ニーズに合わせてセキュリティ体制の構築や運用を支援し、「人の温かみ」を感じるサービスを提供します。
:quality(80):fill(transparent))
UK NIS Representation
サイズを選択:
サイズを選択:
medium
50-249 employees
large
250-749 employees
enterprise
750+ employees
補完製品を追加:
Privacy Representation
4 products
Digital Governance
2 products
Privacy Software
2 products
Core Features
Marketing Features
Authority Features
Data Subject Features
Knowledge
Subscription
ご利用の流れ
お客様の声
世界中の組織と提携し、堅牢なコンプライアンスを確保しています。以下は、当社の尊敬されるお客様がPrighterの体験について述べた内容です。
:quality(95))
Prighter は、EU および UK GDPR の代理人契約に関して、私たちが求めていた答えを提供してくれました。モバイルアプリを開発するスタートアップという立場でのニーズにも即応し、チーム全員が高品質で親身なサポートをしてくださいました。複雑な市場においてサービスを進化させ続ける姿勢も立派ですし、業界アップデートやウェビナーも常に魅力的かつ有用です。Prighter があることで安心感が得られ、時間も節約できており、信頼できるパートナーシップに心から満足しています。
情報ライブラリ
Prighterの情報ライブラリは、世界中の企業が国際的なプライバシー、AI、デジタル・ガバナンスに関する規制を理解し、対応できるよう支援するためのコンテンツを揃えています。
コンプライアンスに不慣れな方も、専門家の方も、ご自身の取り組みをレベルアップするための実用的なヒントや最新情報が見つかります。
NIS UK Representation FAQ
Does the NIS-Directive apply to our company?
Is NIS still applicable in the UK?
Yes, the Network and Information Systems (NIS) Regulations remain fully applicable in the United Kingdom. Originally based on the European NIS Directive, the UK transposed these requirements into its own national legislation as the UK NIS Regulations 2018. Despite Brexit, these regulations have been retained and continue to ensure robust network and information system security within the UK. Therefore, the UK NIS Regulations remain in effect and enforceable post-Brexit.
Who must comply with the UK NIS regulations?
The UK Network and Information Systems (NIS) Regulations 2018 apply to:
- Operators of Essential Services (OES): Organizations in sectors such as energy, banking, transport, health, water, and digital infrastructure.
- Digital Service Providers (DSPs): Including online search engines, online marketplaces, and cloud computing services.
These regulations apply to DSPs that:
- Provide at least one of the following services: an online search engine, an online marketplace, or cloud computing services.
- Do not meet the definition of a micro or small enterprise, meaning they have 50 or more employees and an annual turnover or balance sheet exceeding €10 million.
Note that if the DSP's head office is outside the UK, it is required to appoint a UK-based representative to comply with these regulations.
By ensuring these organizations implement robust security measures and report significant incidents, the UK NIS Regulations help maintain the resilience and security of critical services across the United Kingdom.
What is a Digital Service Provider?
A Digital Service Provider (DSP) is any legal entity that offers digital services subject to the UK Network and Information Systems (NIS) Regulations 2018. It is important to note that not all digital services are subject to these obligations—only specific services are covered.
Online Marketplaces: An Online Marketplace is a platform that allows consumers and traders to conduct online sales or service contracts with traders. These marketplaces serve as the final destination for the conclusion of these contracts. For example, application stores that enable the digital distribution of applications or software programs from third parties are considered online marketplaces. However, the term does not include online services that function solely as intermediaries to third-party services through which a contract can ultimately be concluded.
Online Search Engines: An Online Search Engine allows users to perform searches of websites based on queries on any subject. This includes search engines that operate across all languages. However, search functions that are limited to the content of a specific website, even if provided by an external search engine, are not included under the UK NIS Regulations. Additionally, online services that compare the prices of particular products or services from different traders and then redirect users to preferred traders to purchase the product are also excluded.
Cloud Computing Services: Cloud Computing Services enable access to a scalable and elastic pool of shareable computing resources such as networks, servers, storage, applications, and services. To qualify as a cloud computing service under the UK NIS Regulations, the service must exhibit the following three properties:
- Scalable Resources: Resources can be flexibly allocated by the cloud service provider, regardless of their geographical location, to handle fluctuations in demand.
- Elastic Pool of Resources: Computing resources are provisioned and released according to demand, allowing for rapid increases or decreases in available resources based on workload.
- Shareable: Computing resources are provided to multiple users who share common access to the service. However, the processing is carried out separately for each user, even though the service is provided from the same electronic equipment.
Different business models such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) are included under the UK NIS Regulations. Additionally, hybrid models and other variations that meet the definition of enabling access to scalable, elastic, and shareable computing resources are also covered.
Exemptions: Small and Micro Businesses
- There is a general exemption for micro and small businesses under the UK NIS Regulations. If your digital service provider has:
- Fewer than 50 staff, and An annual turnover and/or balance sheet below €10 million,
you are not classified as a DSP and are exempt from NIS obligations. This exemption also includes sole traders. However, if your service is part of a larger group, you must assess whether the total staffing numbers and financial thresholds of the entire group exceed the small business exemption criteria.
Does my company offer services in the EU or the UK?
Determining whether your company offers services in the UK involves assessing the markets you intend to target. Simply having a website accessible in English is not sufficient to establish this intent. Instead, consider the following factors:
- Use of UK-Specific Language or Currency: Offering services priced in GBP or providing content tailored to British English indicates an intention to serve UK customers.
- Ordering Capabilities: Allowing customers to place orders or access services specifically designed for the UK market suggests service provision within the UK.
- Marketing and Targeting Efforts: Directing marketing campaigns towards the UK or establishing customer support based in the UK are strong indicators of offering services in the region.
Are there any exemptions from this obligation?
Yes, there are exemptions. If your company does not have an establishment in the UK but offers digital services within the UK, you are generally obliged to appoint a UK NIS representative under the UK Network and Information Systems (NIS) Regulations 2018. However, this obligation does not apply to:
- Small Enterprises: Companies employing fewer than 50 persons and with an annual turnover and/or annual balance sheet total not exceeding €10 million.
- Microenterprises: Companies employing fewer than 10 persons and with an annual turnover and/or annual balance sheet total not exceeding €2 million.
Therefore, if your company has fewer than 50 employees and an annual turnover and/or annual balance sheet total below €10 million, you are exempt from the requirement to appoint a UK NIS representative.
What are the main obligations for DSPs under the UK NIS Regulations?
Under the UK Network and Information Systems (NIS) Regulations 2018, Digital Service Providers (DSPs) have several key obligations to ensure the security and resilience of their network and information systems when offering services within the United Kingdom:
Technical and Organisational Measures: DSPs must identify and implement appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems they use.
These measures should:
- Manage Risks: Address risks that could compromise the availability, authenticity, integrity, or confidentiality of data and services.
- Proportionality: Be appropriate to the potential impact of the risk, considering the state of the art and cost of implementation.
- Preventive Actions: Include measures to prevent cybersecurity incidents where possible.
Incident Management and Impact Minimisation
DSPs are required to:
- Prevent Incidents: Take steps to prevent incidents that could affect the security of their network and information systems.
- Minimise Impact: Implement measures to minimize the impact of any incidents that do occur, with the goal of ensuring the continuity of their digital services.
- Recovery Plans: Develop and maintain incident response and recovery plans to restore services promptly.
Incident Reporting
DSPs must notify the relevant authority when an incident occurs that has a substantial impact on the provision of their services within the UK:
- Notification Duty: Report incidents without undue delay to the Information Commissioner's Office (ICO).
- Content of Notification: Provide sufficient information to enable the ICO to determine the significance of the incident, including the nature of the incident, its impact, and any remedial actions taken.
- Collaboration: Cooperate with the ICO and the National Cyber Security Centre (NCSC) as necessary during investigations and incident management.
Appointment of a UK Representative
Under the UK NIS regulations, organizations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations. This representative is responsible for:
- Liaison Role: Serving as the point of contact for the ICO and other relevant UK authorities.
- Compliance Assurance: Ensuring the DSP meets all obligations under the UK NIS Regulations.
- Availability: Being accessible to the UK authorities for any inquiries or enforcement actions.
Where does our company have to appoint a NIS representative?
Which NIS law do I have to comply with?
If your company is a Digital Service Provider (DSP) and exceeds the relevant thresholds, the applicable law under the UK Network and Information Systems (NIS) Regulations 2018 depends on where your company is established and where you offer your services:
- If your company has its head office in the UK: You are governed by the UK NIS Regulations 2018.
- If your company does not have its head office in the UK but offers services there: You are governed by the UK NIS Regulations 2018 and you must appoint a representative in the UK who will act on your behalf under UK jurisdiction.
In both cases, your company must comply with the UK NIS Regulations, implementing appropriate security measures and fulfilling all reporting obligations.
Does our company need a UK representative?
If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers certain digital services within the UK, you are required to appoint a UK representative under the UK Network and Information Systems (NIS) Regulations 2018.
According to the regulations:
- Designation of a Representative: Companies without a head office in the UK but offering certain digital services in the UK must designate a representative based in the UK. This representative will act on your company’s behalf to ensure compliance with the UK NIS Regulations.
- Impact of Brexit: Since Brexit, the European Union (EU) is now considered a "third country" from a UK perspective. As a result, if you are an EU-based company offering services in the UK but without a head office in the UK, you will need to appoint a UK representative.
Role of the Representative:
- Acts on behalf of your company regarding compliance with the UK NIS Regulations.
- Serves as the point of contact for relevant UK authorities.
By appointing a UK representative, your company ensures compliance with the UK NIS Regulations, contributing to the security and resilience of network and information systems within the United Kingdom.
What are the requirements for appointing a UK NIS representative?
If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers digital services within the UK, you are required under the UK Network and Information Systems (NIS) Regulations 2018 to appoint a representative in the UK. The requirements for appointing a UK NIS representative include:
- Confirmation in Writing: You must confirm the appointment of your UK representative in writing after completing the registration process with the Information Commissioner's Office (ICO).
- Representative's Compliance: Your representative must comply with UK law and act on your behalf in fulfilling your legal obligations under the UK NIS Regulations, including incident reporting.
- Accessibility: The representative should be readily contactable by the ICO and the National Cyber Security Centre (NCSC).
When nominating your UK representative, you should provide the ICO with information about:
- Your Company's Head Office: Whether you have a head office located outside the UK.
- Other Representatives: Whether you have nominated a representative in another country.
- Compliance with Other Legislation: Whether you are complying with equivalent network and information systems legislation in another country.
- Location of Systems: Whether you are operating network and information systems located outside the UK.
By providing this information, you help the ICO understand your company's structure and ensure effective communication. Appointing a UK representative ensures that your company adheres to the UK NIS Regulations, contributing to the security and resilience of essential digital services within the United Kingdom.
Do companies that are based outside the EU and the UK need two representatives now?
If your company does not have an establishment within either the EU or the UK but is offering their services to individuals in both regions, you will have to appoint both an EU and a UK representative in order to comply with all relevant legislation, which consists of EU law and its implementation in the Member States on one hand, and UK law on the other hand. Please note that your EU representative must be established in one of the Member States your services are being offered to. Your UK representative must be established in the UK.
What are the possible consequences of non-compliance with the UK NIS Regulations?
Under the UK Network and Information Systems (NIS) Regulations 2018, organizations that fail to comply with their obligations can face substantial penalties. Non-compliant companies may be fined up to £17 million. The exact amount depends on factors such as the severity of the breach, the extent of the negligence, and the potential impact on network and information system security. Failure to appoint a UK NIS representative when required is also a serious offense. Organisations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations.
How can our company appoint Prighter as our representative?
What are the general requirements when appointing a UK NIS representative and what are the obligations of the representative?
When appointing a representative under the UK Network and Information Systems (NIS) Regulations 2018, a Digital Service Provider (DSP) must explicitly designate the representative through a written mandate. This representative should be established in the United Kingdom and act as a local contact point, being readily accessible to relevant UK authorities like the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). The representative acts on behalf of the DSP regarding all legal obligations under the UK NIS Regulations, including incident reporting and liaising with authorities. They must comply with UK law and assist with any investigations or requests related to NIS compliance. By appointing a UK NIS representative, Digital Service Providers (DSPs) that do not have their head office in the UK ensure that they fulfil their legal obligations and contribute to the security and resilience of network and information systems within the United Kingdom.
How does Prighter comply with these requirements?
Prighter ensures compliance by offering an end-to-end digital onboarding process where a Power of Attorney is generated and can be signed either online or on paper. We provide dedicated communication channels with the relevant UK authorities, such as the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), acting on your behalf to fulfill all legal obligations under the UK Network and Information Systems (NIS) Regulations 2018, including incident reporting and liaising with authorities.