Statutory Instruments
Exiting The European Union
Electronic Communications
Sift requirements satisfied
30th October 2019
Made
31st October 2019
Laid before Parliament
4th November 2019
Coming into force in accordance with regulation 1
The Secretary of State makes these Regulations in exercise of the powers conferred by section 8(1) of, and paragraph 21(b) of Schedule 7 to, the European Union (Withdrawal) Act 2018(1).
The requirements of paragraph 3(2) of Schedule 7 to that Act (relating to the appropriate Parliamentary procedure for these Regulations) have been satisfied.
1.—(1) These Regulations may be cited as the Network and Information Systems (Amendment etc.) (EU Exit) (No. 2) Regulations 2019.
(2) These Regulations come into force on the twentieth day after exit day.
(3) In these Regulations—
(a)“the NIS Regulations” means the Network and Information Systems Regulations 2018(2);
(b)“the 2019 Regulations” means the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019(3).
2.—(1) The NIS Regulations are amended as follows.
(2) In regulation 1(2), after “relevant law-enforcement authority” insert—
““representative” means any natural or legal person established in the United Kingdom who is able to act on behalf of a digital service provider established outside the United Kingdom with regard to its obligations under these Regulations; and”.
(3) After regulation 14 insert—
14A.—(1) This regulation applies to any digital service provider which—
(a)has its head office outside the United Kingdom, but which offers digital services within the United Kingdom; and
(b)is not a small or micro enterprise as defined in Commission Recommendation 2003/361/EC(4).
(2) The digital service provider must—
(a)nominate in writing a representative in the United Kingdom; and
(b)notify the Information Commissioner of the name and contact details of that representative.
(3) The digital service provider must comply with paragraph (2)—
(a)in the case of a provider which is offering digital services within the United Kingdom on the coming into force date of these regulations, within three months of the date on which these regulations come into force; or
(b)in any other case, within three months of the provider first offering digital services in the United Kingdom.
(4) The Information Commissioner or GCHQ may contact the representative instead of or in addition to the digital service provider for the purposes of ensuring compliance with these Regulations.
(5) A nomination under paragraph (1) is without prejudice to any legal action which could be initiated against the nominating digital service provider.”
3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17th April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) is revoked.
4. In the Schedule to the 2019 Regulations, in paragraph 11(b), for “paragraphs (10) and (11)” substitute “paragraph (10)”.
Matt Warman
Minister for Digital and Broadband
Department for Digital, Culture, Media and Sport
31st October 2019
(This note is not part of the Regulations)
These Regulations are made in exercise of the powers conferred by section 8(1) of the European Union (Withdrawal) Act 2018 (c. 16) (“the Act”) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under paragraphs (a), (b), (c) and (d) of section 8(2)) which apply to this instrument arising from the withdrawal of the UK from the EU.
These Regulations make amendments in the field of cyber security. Part 1 amends the Network and Information Systems Regulations 2018 (S.I. 2018/506) (“the NIS Regulations”), which implement Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the EU (“the NIS Directive”). Part 1 also revokes Regulation (EU) 2019/881 of the European Parliament and of the Council of 17th April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15) (“the ENISA Regulation”).
The NIS Regulations would not, without these amendments, operate effectively following the withdrawal of the UK from the EU. The changes are necessary to enable the Information Commissioner to regulate digital services providers within scope of the NIS Directive based outside the UK but offering services within the UK, and to require those providers to comply with the NIS Regulations.
The ENISA Regulation is being revoked because it establishes and confers functions upon the European Union Agency for Network and Information Security (ENISA), which is an EU body. The ENISA Regulation is retained by the Act and cannot operate to have any effect in UK law. It is therefore being revoked so as to remove it from the UK statute book.
Part 2 amends the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653) to correct a drafting error.
A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private or voluntary sector is foreseen.
An Explanatory Memorandum is published alongside the instrument at www.legislation.gov.uk.
The EU instruments referred to above are published at http://eur-lex.europa.eu.
S.I. 2018/506. This instrument was amended by S.I. 2018/629.
Commission Recommendation concerning the definition of micro, small and medium-sized enterprises (OJ No. L 124, 20.5.2003, p. 36).