The Security of Networks & Information Systems Directive (more commonly known as the NIS Directive or the Cybersecurity Directive) is EU legislation which ensures relevant digital services providers (RDSPs) and operators of essential services (OESs) meet a required level of cyber security, network and information systems. It is incorporated into UK law in the UK NIS Regulations.
The NIS Representative is responsible for notifying the competent authority or authorities about any incidents that take place which affect RDSPs or OESs.
RDSPs will need to have a NIS representative in the EU if they are offering services in the EU but do not have a head office or establishment in the EU. Both RDSPs and OESs will need to have a NIS representative in the UK if they are offering services in the UK but do not have a head office or establishment in the UK.
An organisation can appoint the same EU and/or UK representative for the purposes both of the NIS Directive/Regulations and the GDPR.
Although the UK has left the EU and the transition period is now over, the UK NIS Regulations continue to apply. UK NIS Representatives should be appointed before 31 March 2021. If you become a RDSP or OES any time after the beginning of 2021 you have three months to register with the relevant authority (or appoint a representative who will do this on your behalf).
EU Member States (and the UK) set their own penalties for non-compliance with the NIS Directive and Regulations. Fines can be in the millions for RDSPs/OESs who do not comply with these laws.
The GDPR and NIS handle different concerns – the GDPR addresses personal data, where as the NIS focuses on the security of systems. If you require GDPR services, you can find more information here about EU Representative or UK Representative.
The function of the representative is to:
act as the single point of contact for enforcement bodies
liaise with the relevant authorities in other Member States, groups and networks to ensure cross-border cooperation
submit reports to relevant bodies and authorities as part of obligations
NIS applies to two groups of organisations:
Relevant digital service providers (RDSPs). An organisation is considered a RDSP if:
it provides a digital service online eg is an online search engine or has an online marketplace and/or offers cloud computing
it has 50 or more staff, or a turnover or balance sheet total of more than €10 million per year; and
its main establishment (eg. head office) is in the EU or UK or has nominated a representative in the UK or EU
offers services in the EU or UK
Operators of essential services (OESs). An organisation is considered an OES if it:
provides services in the EU or UK which are critical for society at large or the economy, such as in the sectors of energy, transport, health, drinking water supply and distribution, and digital infrastructure (or, in the EU, in banking or financial markets).
It must also meet certain operating thresholds relating to, among other things, number of customers and capacity of the service provided. Even if your organisation does not technically meet these thresholds, it can still be designated as an OES by the competent authority if certain conditions are met – for instance, if an incident affecting the provision of that essential service by your organisation is likely to have significant disruptive effects.
We help RDSPs and OESs which are not established in the EU and/or the UK by acting as their NIS Representative to enable them to provide these services within these territories. Contact us to discuss how we can help your organisation.
Find out if your organisation needs a NIS Representative. Speak to us today.
We can act as your NIS Representative within the EU or the UK, depending on your requirement
You may need to satisfy GDPR requirements (how you report data breaches). We can also act as your GDPR EU Representative within the EU, and as your GDPR UK Representative, if required
We are headquartered in Dublin, Ireland and have offices in the UK and Switzerland