On 12 March 2018, the European Commission published a Notice to Stakeholders clarifying the rules that will apply post Brexit in the field of security of network and information systems. The Notice states that, subject to any transitional arrangement contained in a potential withdrawal agreement, the EU rules will not apply to the UK after its withdrawal from the EU. The UK will therefore become a 'third country', and this will have a number of repercussions for digital service providers (DSPs).

The Network and Information Systems (NIS) Directive imposes security and incident notification requirements on DSPs. To clarify, for the pusposes of the NIS Directive, a DSP is considered to be an online marketplace, an online search engine or a cloud services provider, unless already subject to sector specific regulation in this area.

These requirements are subject to ex post supervisory control by national competent authorities. The Notice clarifies how the rules on the jurisdiction for such supervisory activity will apply after the UK's withdrawal from the EU.

  • DSPs subject to the jurisdiction of the UK before the withdrawal date because its main establishment was in the UK may be subject to the following:
    • If it maintains one or several establishments in the EU, it will be deemed to be under the jurisdiction of the EU Member State where it has its main establishment in the EU. This will result in a change of competent authority.
    • If the DSP is no longer established in the EU, but offers digital services into the EU, it will be required to designate a representative in an EU Member State.
  • DSPs neither established in the EU nor in the UK, but subject to the jurisdiction of the UK before the withdrawal date because it had designated a representative in the UK, will be required to designate a representative in an EU Member State where services are offered.

The national authority of that Member State where the DSP has either its main establishment or has designated a representative, will receive notifications of incidents taking place within the EU and exercise ex post supervisory control.

Click here to read the notice in full