Obligation to appoint a representative after Brexit
Do you need a NIS-Representative?
Introduction
The Directive on security of network and information system (NIS-Directive/EU 2016/1148) was adopted on July 6, 2016 and its aim is to achieve a high common standard of network and information security in all European member states.
The NIS-Directive addresses Operators of Essential Services (OES) and Digital Services Providers (DSP). As an OES or DSP you need to demonstrate that you have taken appropriate measures to manage the risks posed to the security of your network and information system, and that measures are in place to prevent and minimize the impact of such an incident. Although this directive is an EU-Directive, it also applies to non EU-based companies, which provides digital services in the EU.
For a better implementation of the security measurements, companies can be obligated to nominate a representative under the NIS-Directive. This obligation is similar to the obligation in Art. 27 GDPR. But while the EU-GDPR concerns protection of personal data in the EU, the NIS Directive concerns the security systems in the EU.
We explain you the representative requirement under the NIS-Directive and clarify if you need to nominate a representative or not.
To whom the duty applies to and how?
The obligation to designate a representative only applies to Digital Service Providers, especially to those who are not based in the EU (Art.18 II NISD). Digital service providers with less than 50 employees, and a turnover or balance sheet of less than €10 million a year are exempt from the NIS Regulations and Directive.
You have only to appoint one NIS-Representative in a relevant member state. The location of the representative of non EU-based DSPs determines which national regulations apply to them. For example you appoint a representative in Germany, German laws apply.
The appointment of a NIS-representative has the advantage that you do not have to address all authorities in each member state, in cases of security incidents. If you appoint one representative in one member state, it is enough to inform this authority only.
The appointment must be in writing. The representative has to be established in that member state, in which the Digital Service Provider offers its services. Does a DSP provides its services in more than one member state, you can chose in which member state you appoint your representative.
What are the tasks of a NIS-representative?
The representative becomes the single point of contact for competent authorities. This task includes, ensuring the cooperation with other authorities in other member states within the framework of the NISD.
The representative also has to submit reports to cooperation groups and the commission. In some cases the representative has to inform the law enforcement agency and cooperate with them.
What’s about companies in the UK or with business in the UK?
The UK implemented the NIS Directive through the Network and Information Systems Regulations in 2018 (NISR) and will continue to apply in the UK, subject to some minor changes. It applies to operators of essential services and Relevant Digital Service Providers, but the changes only concern the DSPs.
UK-companies with or with no establishments in the EU have to appoint a representative, when they do business in the EU.
EU-companies with no establishments in the UK have to appoint a representative, when they do business in the UK. Because of the “Brexit” you have to appoint a NIS-Representative in the UK by 31 March. The representative serves as a point of contact for the UK’s regulator (ICO) and the UK’s National Cyber Security Centre.
Companies, that are neither based in the EU or UK, but provide digital services there, have to appoint two NIS-representatives – one in the UK and one in a relevant member state.
What happens if you do not appoint a representative?
The NISD empowers the member states to impose their own sanctions. Therefore you have to observe the individual rules of the country in which you provide digital services. In almost every member state the directive has been implemented completely or in sector specific laws.
In most cases a fine will be imposed. The amount varies from member state to member state.
For further questions please contact us. We are able to operate as your NIS-Representative.