As the UK moves glacially towards some form of Brexit, attention shifts towards EU cyber security regulations and the potential impact of Brexit on regulatory compliance of UK headquartered businesses.

What follows is based on information provided as part of the No Deal Brexit preparations by the UK Government. In the event of the new withdrawal agreement being fully ratified before Brexit, the UK will continue to operate as if still part of the EU during the implementation period, so the current arrangements will continue. It is also worth noting that the political declaration setting out the broad parameters for the future UK/EU relationship states in clauses 108-111 that it is intended that the UK will continue to participate in the EU institutions relevant to the Network and Information Systems (NIS) Directive. This may not go so far as to allow Digital Services Providers (DSPs) to avoid having a representative in either the UK or the EU if they do not have their business registered there. It also raises the consideration that the proposed new arrangements for Northern Ireland – to be implemented if the new UK/EU future relationship is insufficiently close to avoid a hard or any customs border – may raise the possibility that registration in Northern Ireland may satisfy the requirements of both the EU and the UK as described below.

In early October the Information Commissioner’s Office (ICO) issued letters to all registered relevant digital service providers (RDSP). These letters alerted those RDSPs to the fact that the NIS Directive require DSPs who offer qualifying services within the Union to have a registered representative in a Member State. With the UK leaving the Union their current registrations at the ICO will no longer be adequate for NIS compliance and so RDSPs are encouraged, if they wish to offer digital services in the Union after Brexit, to designate a representative in an alternative Member State.

On the other hand, on 25 October the UK Government issued guidance to organisations based in the EU who offer digital services to the UK. Brexit will mean that non-UK DSPs wishing to continue to provide digital services to UK users must appoint a representative in the UK and must register with the ICO. As an aside, whilst the UK Government guidance is focused on EU-based DSPs, we presume that the core message should apply to any non-UK based DSPs offering a qualifying digital service in the UK.

To read more on what happens next and where to look for assistance click here.

First published on