Search Legislation

The Network and Information Systems Regulations 2018

What Version

 Help about what version
  • Latest available (Revised)
  • Original (As made)

Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

PART 2The National Framework

The NIS national strategy

2.—(1) A Minister of the Crown must designate and publish a strategy to provide strategic objectives and priorities on the security of network and information systems in the United Kingdom (“the NIS national strategy”).

(2) The strategic objectives and priorities set out in the NIS national strategy must be aimed at achieving and maintaining a high level of security of network and information systems in—

(a)the sectors specified in column 1 of the table in Schedule 1 (“the relevant sectors”); and

(b)digital services.

(3) The NIS national strategy may be published in such form and manner as the Minister considers appropriate.

(4) The NIS national strategy may be reviewed by the Minister at any time and, if it is revised following such a review, the Minister must designate and publish a revised NIS national strategy as soon as reasonably practicable following that review.

(5) The NIS national strategy must, in particular, address the following matters—

(a)the regulatory measures and enforcement framework to secure the objectives and priorities of the strategy;

(b)the roles and responsibilities of the key persons responsible for implementing the strategy;

(c)the measures relating to preparedness, response and recovery, including cooperation between public and private sectors;

(d)education, awareness-raising and training programmes relating to the strategy;

(e)research and development plans relating to the strategy;

(f)a risk assessment plan identifying any risks; and

(g)a list of the persons involved in the implementation of the strategy.

(6) The Minister must communicate the NIS national strategy, including any revised NIS national strategy, to the Commission within three months after the date on which the strategy is designated under paragraph (1).

(7) Before publishing the NIS national strategy or communicating it to the Commission, the Minister may redact any part of it which relates to national security.

(8) In this regulation “a Minister of the Crown” has the same meaning as in section 8(1) of the Ministers of the Crown Act 1975(1).

Designation of national competent authorities

3.—(1) The person specified in column 3 of the table in Schedule 1 is designated as the competent authority, for the territorial jurisdiction indicated in that column, and for the subsector specified in column 2 of that table (“the designated competent authorities”).

(2) The Information Commissioner is designated as the competent authority for the United Kingdom for RDSPs.

(3) In relation to the subsector for which it is designated under paragraph (1), the competent authority must—

(a)review the application of these Regulations;

(b)prepare and publish guidance;

(c)keep a list of all the operators of essential services who are designated, or deemed to be designated, under regulation 8, including an indication of the importance of each operator in relation to the subsector in relation to which it provides an essential service;

(d)keep a list of all the revocations made under regulation 9;

(e)send a copy of the lists mentioned in sub-paragraphs (c) and (d) to GCHQ, as the SPOC designated under regulation 4, to enable it to prepare the report mentioned in regulation 4(3);

(f)consult and co-operate with the Information Commissioner when addressing incidents that result in breaches of personal data; and

(g)in order to fulfil the requirements of these Regulations, consult and co-operate with—

(i)relevant law-enforcement authorities;

(ii)competent authorities in other Member States;

(iii)other competent authorities in the United Kingdom;

(iv)the SPOC that is designated under regulation 4; and

(v)the CSIRT that is designated under regulation 5.

(4) In relation to digital services, the Information Commissioner must—

(a)review the application of these Regulations;

(b)prepare and publish guidance; and

(c)consult and co-operate with the persons mentioned in paragraph (3)(g), in order to fulfil the requirements of these Regulations.

(5) The guidance that is published by under paragraph (3)(b) or (4)(b) may be—

(a)published in such form and manner as the competent authority or Information Commissioner considers appropriate; and

(b)reviewed at any time, and if it is revised following such a review, the competent authority or Information Commissioner must publish revised guidance as soon as reasonably practicable.

(6) The competent authorities designated under paragraph (1) and the Information Commissioner must have regard to the national strategy that is published under regulation 2(1) when carrying out their duties under these Regulations.

Designation of the single point of contact

4.—(1) GCHQ is designated as the SPOC on the security of network and information systems for the United Kingdom.

(2) The SPOC must—

(a)liaise with the relevant authorities in other Member States, the Cooperation Group and the CSIRTs network to ensure cross-border co-operation;

(b)consult and co-operate, as it considers appropriate, with relevant law-enforcement authorities; and

(c)co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.

(3) The SPOC must submit reports to—

(a)the Cooperation Group based on the incident reports it received under regulation 11(9) and 12(15), including the number of notifications and the nature of notified incidents; and

(b)the Commission identifying the number of operators of essential services for each subsector listed in Schedule 2, indicating their importance in relation to that sector.

(4) The first report mentioned in paragraph (3)(a) must be submitted on or before 9th August 2018 and subsequent reports must be submitted at annual intervals.

(5) The first report mentioned in paragraph (3)(b) must be submitted on or before 9th November 2018 and subsequent reports must be submitted at biennial intervals.

Designation of computer security incident response team

5.—(1) GCHQ is designated as the CSIRT for the United Kingdom in respect of the relevant sectors and digital services.

(2) The CSIRT must—

(a)monitor incidents in the United Kingdom;

(b)provide early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents;

(c)respond to any incident notified to it under regulation 11(5)(b) or regulation 12(8);

(d)provide dynamic risk and incident analysis and situational awareness;

(e)participate and co-operate in the CSIRTs network;

(f)establish relationships with the private sector to facilitate co-operation with that sector;

(g)promote the adoption and use of common or standardised practices for—

(i)incident and risk handling procedures, and

(ii)incident, risk and information classification schemes; and

(h)co-operate with NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.

(3) The CSIRT may participate in international co-operation networks if the CSIRT considers it appropriate to do so.

Information sharing – enforcement authorities

6.—(1) The NIS enforcement authorities may share information with the CSIRT, the Commission and the relevant authorities in other Member States if that information sharing is—

(a)necessary for the requirements of these Regulations, and

(b)limited to information which is relevant and proportionate to the purpose of the information sharing.

(2) When sharing information with the Commission or the relevant authorities in other Member States under paragraph (1), the NIS enforcement authorities are not required to share—

(a)confidential information, or

(b)information which may prejudice the security or commercial interests of operators of essential services or digital service providers.

Information sharing – Northern Ireland

7.—(1) In order to facilitate the exercise of the Northern Ireland competent authority’s functions under these Regulations—

(a)a Northern Ireland Department may share information with the Northern Ireland competent authority; and

(b)the Northern Ireland competent authority may share information with a Northern Ireland Department.

(2) In this regulation—

(a)“the Northern Ireland competent authority” means the competent authority that is specified for Northern Ireland in column 3 of the table in Schedule 1 in relation to the subsectors specified in column 2 of that table; and

(b)“a Northern Ireland Department” means a department mentioned in Schedule 1 to the Departments Act (Northern Ireland) 2016(2).

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Memorandum

Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Impact Assessments

Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:

  • Why the government is proposing to intervene;
  • The main options the government is considering, and which one is preferred;
  • How and to what extent new policies may impact on them; and,
  • The estimated costs and benefits of proposed measures.
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as made version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources