NIS Representation EU & UK FAQ
Does the NIS-Directive apply to our company?
In contrast with the GDPR, the NIS-Directive is not directly applicable in all Member States but instead had to be transposed into national law by all Member States. So, although NIS law is based on European legal requirements, it is set out in national UK law, so Brexit has not affected its validity. Therefore, it will still be applicable after the transition period.
The Directive on Security of Network and Information Systems (NISD) aims to achieve a higher, common EU-wide security standard of network and information systems. It addresses:
Operators of Essential Services (OES) e.g. in the energy, banking, transport, sectors; and
Digital Service Providers (DSPs), which are divided into three groups: online search engines, online marketplaces, and cloud computing services.
It applies to DSPs that
have an establishment in the EU
are established outside the EU but are offering their services within the EU.
A Digital Service Provider is any legal person that offers a digital service. It should be noted that not all digital services are affected by the obligations under the NISD, only specific services.
Online Marketplaces: An online marketplace is a spot that allows consumers and traders to conduct online sales or service contracts with traders, and which function as the final destination for the conclusion of those contracts. Application stores, which operate as online stores enabling the digital distribution of applications or software programs from third parties, are a type of online marketplace.
The term does not include online services that function only as an intermediary to third-party services through which a contract can be ultimately concluded.
Online Search Engines: An online search engine allows the user to perform searches of websites based on a query on any subject. It can also be focused on websites in certain languages.
Search functions that are limited to the content of a specific website, even if the function is provided by an external search engine, are not included in the NIS-Directive. Online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product, are also not included.
Cloud Computing Services: Cloud computing services allow access to a scalable and elastic pool of shareable computing resources such as networks, servers or other infrastructure, storage, applications, and services. The NISD mentions three properties that a cloud computing service must have in order to be qualified as a cloud service:
Scalable Resources: Resources can be flexibly allocated by the cloud services provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand; and
Elastic Pool of Resources: Computing resources that are provisioned and released according to demand to rapidly increase and decrease resources available depending on workload; and
Shareable: Computing resources are provided to multiple users who share a common access to the service, but the processing is carried out separately for each user even though the service is provided from the same electronic equipment.
Different business models such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service) are included in the NISD.
When determining whether a company offers their service within the EU or the UK, the important information is which markets the company is planning to offer its services to. In order to determine the intention, different factors are considered. The mere accessibility of either the Digital Service Provider’s (DSP) or an intermediary’s website, or the use of a language which is generally used in the region where the DSP is established, is insufficient to ascertain such intention. Instead, factors such as the use of a language or a currency generally used in one or more Member States or the UK, and the possibility of ordering services in that other language, may be an indicator that the DSP is intending to offer their services within a region where it doesn’t have its main establishment.
If your company does not have an establishment in the EU or the UK but offers the mentioned digital services in these regions, you are generally obliged to appoint a NIS representative.
However, the obligation to appoint a representative does not apply to companies that do not exceed a certain company size. Excluded are:
- Small Enterprises, which are defined as enterprises which employ less than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed 10 million; and
- Microenterprises, which are defined as enterprises which employ less than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed 2 million
All in all, this means that if your company has less than 50 employees and the annual turnover and/or annual balance sheet total is less than 10 million, you do not have to appoint a representative.
When it comes to DSPs, the main obligations are set out in Art. 16 of the NIS-Directive:
- Technical and Organisational Measures: DSPs must identify and take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems which they use in the context of offering their services within the EU and UK.
- Impact Minimisation: DSPs must take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems.
- Reporting Obligation/Representative: DSPs must notify the relevant authority or the CSIRT when an incident occurs that has a substantial impact on the provision of their service offered in the EU or UK. In the event that a company does not have an establishment in the EU it will need to appoint a representative who acts on behalf of the company.
Where does our company have to appoint a NIS-Representative?
Unlike the GDPR, which is one law applicable in all Member States, the NISD has been implemented individually by every EU Member State and the UK into their own national laws. Which national law is applicable to your company is determined as follows, always assuming that your company is a DSP and exceeds the relevant thresholds:
- If your company has one or more establishments within the EU then your company is governed by the jurisdiction of the Member State in which it has its main establishment (i.e. where your head office is);
- If your company has its main establishment in the UK, the Network and Information Systems Regulations (2018) applies;
- If you are not established within the EU, but are offering your services within the EU, you will have to appoint a representative that is established in a Member State where you offer your services. Your company is then deemed to be under the jurisdiction of the Member State where the representative is established;
- If you are not established in the UK, but are offering your services there, you will have to appoint a representative in the UK who will be under UK jurisdiction.
According to Art. 18 (2) of the NIS-Directive (and most transpositions in national law), Digital Service Providers that;
- are not established in the EU; and
- offer certain digital services within the EU
must designate a representative in the EU who is established in one of the Member States in which the services are being offered.
After Brexit, the UK is considered a “third country” from an EU perspective. Therefore, an establishment in the UK does not count as an “establishment in a Member State” anymore. Consequently, if you are a UK based company without an establishment in the EU but you are offering your services there, you will have to appoint an Art. 18 representative in the EU.
The UK government has stated that organisations
- based outside the UK; and
- offering their services in the UK
will have comply with the UK NIS regulations and will have to appoint a representative in the UK by the end of March 2021.
The UK law does provide exemptions for small companies, however. If your company employs less than 50 persons and its annual turnover and/or balance sheet is less than EUR 10 million, you will not have to appoint a representative in the UK.
You will have to confirm the appointment of your representative in writing after completing the registration process provided by the Information Commissioner’s Office (ICO). Your representative will have to comply with UK law and should be contactable by the ICO or the NCSC. They will also act on your behalf in fulfilling your legal obligations under the UK NIS law, including incident reporting.
When nominating your UK representative, you should tell the ICO whether you:
- Have a head office in an EU Member State;
- Have nominated a representative in an EU Member State;
- Are complying with an equivalent legislation in another country;
- Are operating network and information systems located outside the UK.
If your company does not have an establishment within either the EU or the UK, but is offering their services to individuals in both regions, you will have to appoint both an EU and a UK representative in order to comply with all relevant legislation, which consists of EU law and its implementation in the Member States on one hand, and UK law on the other hand. Please note that your EU representative must be established in one of the Member States your services are being offered to. Your UK representative must be established in the UK.
Since your representative in the UK will no longer cover EU representation after Brexit , you will have to appoint an additional representative that is established in one of the EU Member States your services are being offered to.
Since NIS law is based on an EU directive which is implemented differently in each Member State, there is no universal penalty amount. For example, in the UK non-compliant companies can be fined up to GBP 17,000,000, whereas in Austria penalties amount to EUR 50,000 and can go up to EUR 100,000 in the event of repeat offences.
Also, the fines for failure to appoint a NIS representative vary in each Member State. In the Czech Republic for example, companies can be fined up to EUR 40,000 for failing to appoint an EU representative.
How can our company appoint Prighter as our representative?
The representative should be explicitly designated through a written mandate by the Digital Service Provider.
It should be possible for the relevant authorities or the Computer Security Incident Response Team (CSIRT) to contact the representative as the representative will act as a local contact point. The representative acts on behalf of the DSP regarding the legal obligations under the NIS law, including incident reporting. The representative will have to comply with the local national laws of where they are established.