The obligation to appoint an EU-based representative will arise under the EU's Network and Information Security (NIS) Directive. The Directive sets standards on cybersecurity for 'digital service providers', a term which covers online marketplaces, online search engines and cloud computing service providers.
Digital service providers based in the UK and providing services in other EU countries currently do not need to designate a representative in other EU countries because the UK is a member of the EU. However, that will change in a 'no deal' Brexit scenario when the requirement for an EU-based representative will apply to UK-based digital service providers that provide services in countries in the EU.
In a new 'no deal' Brexit checklist aimed at media and broadcast organisations, the government warned businesses subject to the NIS regime: "You may be fined if you do not have a representative to help you meet online security standards".
The government published 'no deal' Brexit guidance late last year which provides more detail on the requirements.
"When you designate the representative, you must comply with the law in that EU member state," the government guidance said. "Your representative will act on your behalf, and it should be possible for the competent authorities (i.e. the ICO in the UK) and/or the computer security incident response teams (i.e. the equivalent of NCSC in the UK) of the relevant EU member state to contact the representative."
"You should designate the representative in writing by a formal process set by the relevant EU member state authority, stating that the representative will act on your behalf to fulfil your legal requirements that arise under the law of that EU member state, including incident reporting," it said.
Digital service providers with their main establishment in the UK would be subject to UK NIS rules "when offering services in the UK", and they would also be "under the jurisdiction of the member state where the representative is established" in cases where they appoint an EU-based representative to account for the services they provide in the EU, the guidance said.
UK digital service providers are required to be registered with the Information Commissioner's Office (ICO). The guidance said the businesses would need to inform the ICO if they have designated a representative in an EU member state.
Out-Law Analysis
15 May 2018
Out-Law News
03 Mar 2017