NIS rules: does your cloud provider need to notify post Brexit?

The UK Government’s recent Brexit notice update regarding digital services, published on 16th October, reminds organisations that from 1 January 2021 changes are required to the way certain service providers operate in the UK and EU. Customers procuring relevant digital services may also want to amend their due diligence processes to reflect this. 

What are the new rules and who do they affect?

The new rules relate to the Network and Information Systems (NIS) Directive, which aims to raise the level of network and information system security in the EU. The Directive was implemented in the UK by the NIS Regulations 2018 and will continue to apply in the UK, subject to some minor changes, beyond the end of the Brexit transition period. While the NIS regime covers: (i) operators of essential services in sectors such as energy and transport; and (ii) certain providers of cloud services, online market places and search engines (‘digital services providers’ or ‘DSPs’); these changes only apply to DSPs. 

EU organisations offering services in the UK:  An EU based DSP who offers services in the UK and falls within the NIS regime (as set out in this ICO guidance) must: 

- appoint a representative in the UK - this representative will act on the DSP’s behalf, fulfilling its legal obligations (including reporting any incidents), and will be a point of contact for the UK’s regulator (the ICO) and/or the UK’s National Cyber Security Centre; 

- confirm this appointment in writing to the ICO following its registration process. This includes telling the ICO if it has a head office or nominated representative in an EU Member State, is complying with equivalent legislation in another country and/or is operating a network and information system located outside the UK; and

- follow the UK’s NIS Regulations, in addition to any domestic/EU NIS rules that it must follow.

UK DSPs offering services in the EU:  The European Commission published a similar notice back in March 2018 (which is referenced in the recent UK notice). It confirmed that a UK DSP which provides relevant digital services in the EU and which: 

- also has one or more establishment in the EU, will be deemed to be under the jurisdiction of the EU Member State where it has its main establishment (which effectively means it will have a new ‘competent authority’ or lead EU regulator); and

- no longer has an establishment in any EU Member State, must appoint a representative in the EU. 

Customers procuring digital services: Customers who are looking to procure cloud (and other relevant) services in the UK from an EU DSP (or EU services from a UK DSP) should: 

- check, as part of their due diligence process, that the DSP is complying with these new rules; and

- consider whether they need additional information and contractual protections regarding any appointed representative, for example in relation to managing security breaches or other incidents linked to that service provider which may impact the customer.