Search Legislation

The Network and Information Systems Regulations 2018

What Version

 Help about what version
  • Latest available (Revised)
  • Original (As made)

Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

PART 4Digital Services

Relevant digital service providers

12.—(1) A RDSP must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide, within the European Union, the following services—

(a)online marketplace;

(b)online search engine; or

(c)cloud computing service.

(2) The measures taken by a RDSP under paragraph (1) must—

(a)(having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed;

(b)prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services; and

(c)take into account the following elements as specified in Article 2 of EU Regulation 2018/151—

(i)the security of systems and facilities;

(ii)incident handling;

(iii)business continuity management;

(iv)monitoring auditing and testing; and

(v)compliance with international standards.

(3) A RDSP must notify the Information Commissioner about any incident having a substantial impact on the provision of any of the digital services mentioned in paragraph (1) that it provides.

(4) The requirement to notify in paragraph (3) applies only if the RDSP has access to information which enables it to assess whether the impact of an incident is substantial.

(5) The notification mentioned in paragraph (3) must provide the following information—

(a)the operator’s name and the essential services it provides;

(b)the time the NIS incident occurred;

(c)the duration of the NIS incident;

(d)information concerning the nature and impact of the NIS incident;

(e)information concerning any, or any likely, cross-border impact of the NIS incident; and

(f)any other information that may be helpful to the competent authority.

(6) The notification under paragraph (3) must—

(a)be made without undue delay and in any event no later than 72 hours after the RDSP is aware that an incident has occurred; and

(b)contain sufficient information to enable the Information Commissioner to determine the significance of any cross-border impact.

(7) In order to determine whether the impact of an incident is substantial the RDSP must—

(a)take into account the following parameters, as specified in Article 3 of EU Regulation 2018/151—

(i)the number of users affected by the incident and, in particular, the users relying on the digital service for the provision of their own services;

(ii)the duration of the incident;

(iii)the geographical area affected by the incident;

(iv)the extent of the disruption to the functioning of the service;

(v)the extent of the impact on economic and societal activities; and

(b)assess whether at least one of situations described in Article 4 of EU Regulation 2018/151 has taken place.

(8) After receipt of a notification under paragraph (3) the Information Commissioner must share the incident notification with the CSIRT as soon as reasonably practicable.

(9) If an OES is reliant on a RDSP to provide an essential service, the operator must notify the relevant competent authority in relation to it about any significant impact on the continuity of the service it provides caused by an incident affecting the RDSP as soon as it occurs.

(10) If an incident notified under paragraph (3) affects two or more Member States, the Information Commissioner must inform the relevant authorities in each of the affected Member States about that incident as soon as reasonably practicable.

(11) The Information Commissioner is not required to share information under paragraph (9) if the information contains—

(a)confidential information; or

(b)information which may prejudice the security or commercial interests of a RDSP.

(12) If the Information Commissioner or CSIRT—

(a)consults with the RDSP responsible for an incident notification under paragraph (3), and

(b)is of the view that public awareness about that incident is necessary to prevent or manage it, or is in the public interest,

the Information Commissioner or CSIRT may inform the public about that incident or direct the RDSP responsible for the notification to do so.

(13) Before the Information Commissioner or CSIRT informs the public about an incident notified under paragraph (3), the Information Commissioner or CSIRT must consult each other and the RDSP who provided the notification.

(14) The Information Commissioner may inform the public about an incident affecting digital services in another Member State if—

(a)the relevant authorities in the affected Member State notify the Information Commissioner about the incident;

(b)the Commissioner consults with those relevant authorities; and

(c)the Commissioner is of the view mentioned in paragraph (11)(b).

(15) The Information Commissioner must provide an annual report to the SPOC identifying the number and nature of incidents notified to it under paragraph (3).

(16) The first report mentioned in paragraph (15) must be submitted on or before 1st July 2018 and subsequent reports must be submitted at annual intervals after that date.

(17) In this regulation “EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 laying down rules for the application of Directive (EU) 2016/148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact(1).

Co-operation and action across Member State boundaries

13.—(1) The Information Commissioner must co-operate with, and assist, competent authorities in other Member States, if the Commissioner considers that is appropriate to secure the effective supervision of—

(a)RDSPs who have network and information systems located in another Member State; or

(b)digital service providers who do not meet the condition mentioned in regulation 1(3)(e)(i) but have network and information systems located in the United Kingdom.

(2) The co-operation and assistance referred to in paragraph (1) may include—

(a)sharing information with, and receiving information from, a competent authority in another Member State to the extent that the Information Commissioner considers it necessary and appropriate;

(b)receiving a request from a competent authority in another Member State for the Information Commissioner to take enforcement action with respect to a RDSP mentioned in paragraph (1)(a); and

(c)making a request to a competent authority in another Member State for enforcement action to be taken with respect to a digital service provider mentioned in paragraph (1)(b).

Registration with the Information Commissioner

14.—(1) The Information Commissioner must maintain a register of all RDSPs that have been notified to it.

(2) A RDSP must submit the following details to the Information Commissioner before the registration date for the purpose of maintaining the register mentioned in paragraph (1)—

(a)the name of the RDSP;

(b)the address of its head office, or of its nominated representative; and

(c)up-to-date contact details (including email addresses and telephone numbers).

(3) A RDSP must notify the Information Commissioner about any changes to the details it submitted under paragraph (2) as soon as possible, and in any event within three months of the date on which the change took effect.

(4) In this regulation, the “registration date” means—

(a)1st November 2018, in the case of a RDSP who satisfies the conditions mentioned in regulation 1(3)(e) on the coming into force date of these Regulations, or

(b)in any other case, the date three months after the RDSP satisfies those conditions.

(1)

OJ No. L 26, 31.1.2018, p. 48.

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Memorandum

Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Impact Assessments

Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:

  • Why the government is proposing to intervene;
  • The main options the government is considering, and which one is preferred;
  • How and to what extent new policies may impact on them; and,
  • The estimated costs and benefits of proposed measures.
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as made version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources