November 4, 2019

The guidance covers what organisations based outside the UK but offering services in the UK must do to comply with the Network and Information System Regulations 2018 (which implemented the Network and Information Systems Directive (2016/1148/EU)).

The NIS Directive provides legal measures to boost the overall level of network and information system security in the EU. It applies to operators of essential services and Relevant Digital Service Providers (RDSPs).

The guidance states that organisations based in the EU offering services in the UK must:

• appoint a representative in the UK;
• confirm this in writing following the Information Commissioner’s Office (ICO) registration process; and
• comply with the NIS Regulations in the UK. Organisations must do this even if they are already complying with the domestic law transposed from the NIS Directive in a EU Member State.

The appointed representative can act on the organisation’s behalf in fulfilling its legal obligations and should be contactable by the ICO or NCSC. The representative will act on the organisation’s behalf to fulfil legal requirements under the NIS Regulations, including incident reporting. The representative will act on the organisation’s behalf with the ICO and the NCSC in the UK. The representative will need to comply with UK law.

Organisations should tell the ICO if any of the following apply:

• it has a head office in a EU Member State;
• it has nominated a representative in an EU Member State;
• it is complying with equivalent legislation in another country; or
• it is operating network and information systems located outside the UK.

Organisations should also tell the ICO that they are complying with equivalent legislation in another country or running network and information systems located outside the UK. To access the guidance, click here.