The EU General Data Protection Regulation (GDPR) is not the only legal regime applicable to online services which are accessible for users in the European Union. Today, we inform you about the EU representative requirement under the EU Network and Information Systems Directive, explain which companies are affected and offer you a ready-to-go solution for becoming compliant - completely free of extra charge.
Scope of the NISD
The EU Network and Information Systems Directive (NISD) not only applies to EU-based companies but also to Digital Service Providers (DSPs) without an establishment in the EU if they offer their services there.
DSPs include operators of:
- web search engines;
- online marketplaces and ecommerce platforms which allow sellers to conclude retail or wholesale contracts on their platform;
- cloud services, including IaaS, PaaS and SaaS providers.
All requirements outlined below only apply to DSPs which employ at least 50 persons or whose annual turnover / balance sheet total exceeds EUR 10 million.
General obligations for DSPs under the NISD
Under the NISD, DSPs are required to:
- "identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services" (Art. 16 para. 1 NISD);
- "take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services [...], with a view to ensuring the continuity of those services" (Art. 16 para. 2 NISD); and to
- "notify the competent authority or the Computer Security Incident Response Teams without undue delay of any incident having a substantial impact on the provision of a service" (Art. 16 para. 3 NISD).
These requirements are very similar to the GDPR requirements to maintain risk-appropriate technical and organizational measures for data security (Art. 32 GDPR) and to notify data protection authorities in case of personal data breaches (Art. 33 GDPR), however, differ in detail as the NISD aims to protect general availability of digital services, unlike the GDPR which solely protects personal information.
For example, when it comes to breach notifications, the reporting obligation may cover incidents which do not include any personal data in the sense of the GDPR. Also, notifications must be issued to authorities different from the data protection authorities. DSPs are advised to complement their incident response policies accordingly.
Maximum fines for non-compliance with the NISD vary throughout the EU member states (e.g. EUR 50,000 in Germany; EUR 500,000 in Ireland; GBP 17,000,000 in the UK; EUR 20,000 in Estonia; EUR 1,000,000 in Spain).
You can find more detailed information on the scope of applicability and general obligations in the Guidelines by the European Union Agency for Cybersecurity.
Obligation to designate an EU representative
The NISD may apply to companies established outside the EU. In order to ensure approachability of such service providers for the EU NISD enforcement authorities, the NISD requires non-EU companies to designate a representative in the European Union.
The obligation to appoint an EU representative applies to abovementioned DSPs which:
- have no establishment in the EU; and
- offer services in the EU, determined by factors such as the use of a language or a currency generally used in one or more EU member states with the possibility of ordering services in that language, or the mentioning of EU customers or users.
Requirements for the EU representative
The EU Representative under Art. 18 para. 2 NISD:
- must be designated in writing;
- must be established in one of the EU member states in which the DSP offers its services; and
- acts on behalf of the DSP and can be addressed by EU authorities which are supervising compliance with the NIS Directive.
DP Dock is currently acting as your EU representative under Art. 27 GDPR and can be addressed on all issues relating to privacy compliance. Since the NISD is not a privacy regulation in the first place, our mandate is currently insufficient to ensure compliance with the NISD. This is why we offer you to extend the scope of our services (see below).
Effects of the appointment: one-stop shop
The NISD addresses EU member states and requires them to implement national provisions which impose the abovementioned obligations on DSPs. For a DSP without establishments in the EU, the location of its EU representative determines which national provisions apply and which national authorities are competent for supervising the DSP’s compliance with the NISD. In other words: Designating an EU representative in Germany has the effect that only German NIS law applies to the company, even if the service is also available in France, Belgium, the Netherlands, etc.
Appointing an EU representative thereby also triggers a one-stop shop for reporting security incidents under the NISD. Companies without an EU representative must address the authorities of all 28 EU member states in which they offer their services, all in their local language. Companies which have designated an EU representative need to inform one authority only.
Separate NIS representatives in the UK
The fact that United Kingdom has left the EU will have impacts on the EU representative requirement under the NISD. Until January 1, 2021, a transitional period under the UK Withdrawal Agreement leads to ongoing applicability of EU laws in the UK. In case this period is not extended by political decision, the following changes will apply as of 2021 according to the UK government:
- companies located in the UK: if they have no establishment in the EU but do business there, they will have to designate an EU representative;
- companies located in the EU: if they have no establishment in the UK but do business there, they will have to designate a UK representative;
- companies located neither in the UK nor in the EU: if they have no establishment in the UK or EU but do business there, they will have to designate representatives in the UK as well as in the EU.
In addition to the EU representative service, we at DP Dock will also be able to provide a UK representative service. We will inform you if any relevant legal updates take place.
How to become compliant?
For us at DP Dock, mitigating our customers' legal risks under EU privacy and technology laws is our main goal. This is why we decided to offer you, in addition to our function as your EU representative under the GDPR, to act as your EU representative under the NISD - completely free of extra charge, without any catch or hidden fees. To prepare for incident reporting and compliance documentation with the NISD in general, we recommend to consult with your legal advisors.
Designate DP Dock as your EU NIS Directive representative for free
If your assessment based on the information provided above indicates that the NIS Directive may apply to your service, please fill out the following form. We will then send you a draft engagement letter that must be signed by both parties in order to comply with the legal requirement to designate the EU representative in writing.
More news on EU Privacy & Tech Law Compliance? Click here.