+49 (0) 89 20 300 64 22 Mon - Fri 09:00-18:00
CYBERLEGIS.legal accepts all common cryptocurrencies for payment.
The Security of EU Network & Information Systems Regulations (NIS Regulations; NISD - NIS Directive Implementation Act; NISG – Netz- und Informationssystemsicherheitsgesetz) called NIS Directive in the following - provide legal measures to boost the level of security (both cyber & physical resilience) of network and information systems for the provision of essential services and digital services.
The NIS Directive not only applies to EU-based companies but also to DSPs without an establishment in the EU if they offer their services there. These companies also have to designate an EU Representative.
DSPs include operators of:
Exemption:
For the purposes of NIS Directive, a Digital Service Provider is any legal person that provides a digital service (art. 4(6) NIS Directive) and Digital Service is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services (Art. 4(5) NIS Directive)
If you provide an online search engine, online marketplace or cloud computing service (either alone or in combination) then you are a digital service provider (DSP). Your digital service must be provided to external customers – i.e., to individuals or organisations. If you only maintain these services internally, you are not a DSP.
Online search engines are digital services that enable individuals to perform searches of all websites based on a particular query or search term. If you run a website that uses an embedded search from a search engine provider, your site is not covered by NIS and you are not deemed to be a DSP – it is the underlying search engine that is covered.
Online marketplaces are digital services that allow individuals or traders to conclude sales or service contracts with traders, either on their own website or by means of providing services to traders’ websites. Online retailers that sell directly to individuals on their own behalf are not covered.
Cloud services are digital services that ‘enable access’ to a scalable and elastic pool of shareable computing resources. This can include common cloud models like ‘Platform as a Service’ (PaaS) and ‘Infrastructure as a Service’ (IaaS). If you provide ‘Software as a Service’ (SaaS) you are also covered to the extent that your service is scalable and elastic.
There is a general exemption for small and micro businesses. If you have fewer than 50 staff and an annual turnover and/or balance sheet below €10 million does not apply to you and you are not an DSP. However, if your service is part of a larger group, you need to include the staff and turnover size of the group when assessing whether the small business exemption applies (Art. 16(11) NIS Directive)
If you are a digital service provider, you are required to take appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
Under the NISD, DSPs are required to:
These measures are further detailed by implementing national laws. The requirements above mentioned are similar to the GDPR requirements to maintain risk-appropriate technical and organizational measures for data security (Art. 32 GDPR) and to notify data protection authorities in case of personal data breaches (Art. 33 GDPR), however, differ in detail as the NISD aims to protect general availability of digital services, unlike the GDPR which solely protects personal information.
We as representative act as a contact point for national competent authority or a CSIRT instead of the digital service provider with regard to the obligations of that Digital Service Provider under NIS Directive. In addition, your representative's range of tasks includes representing your company with regard to the obligations arising from the NIS Directive.
Our goal is to enable non-European companies to comply with NIS Directive by a combination of legal expertise and technology know-how.
We support you in all cybersecurity related matters and above all in helping your business grow by enabling you to improve customers' trust and handling cybersecurity matters in an efficient and professional way. The NIS Representative must be designated in writing by the DSP to be contacted by the national competent authority or a CSIRT on any cybersecurity issues. We use a fully NIS Directive compliant NIS representative agreement.
In principle, there is no indication concerning the number of representatives needed to comply with the obligation to appoint a representative in the EU. Art. 4(10) NIS Directive defines the representative as any natural or legal person established in the Union explicitly designated to act on behalf of a digital service provider not established in the Union, which may be addressed by a national competent authority or a CSIRT instead of the digital service provider with regard to the obligations of that digital service provider under this Directive. Therefore, only one NIS representative is enough to comply with this requirement, even if your company has branches in several EU countries.
The NIS Directive extends its ‘territorial scope’ to digital service providers established in a country outside of the EU. The NIS Directive allows member states to set their fine limits (art. 21 NISD). Maximum fines for non-compliance with the NIS Directive vary throughout the EU member states (e.g.: EUR 50,000 in Germany; EUR 200.000 in Belgium; EUR 500,000 in Ireland; EUR 20,000 in Estonia; EUR 1,000,000 in Spain).
RAe Niedermeier – Law Firm GmbH (CYBERLEGIS) is an European Law Firm with headquarters in Munich Downtown, Germany. CYBERLEGIS specializing in NIS Representative Services under EU Network & Information Systems Regulations.
(Further information: NIS REP_Cyberlegis_Flyer_2021) Download
(Further information: Cyberlegis_Flyer_2021) Download