Search Legislation

The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019

What Version

 Help about what version
  • Latest available (Revised)
  • Original (As made)

Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

Statutory Instruments

2019 No. 653

Exiting The European Union

Electronic Communications

The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019

Sift requirements satisfied

19th March 2019

Made

25th March 2019

Laid before Parliament

27th March 2019

Coming into force in accordance with regulation 1

The Secretary of State makes these Regulations in exercise of the powers conferred by section 8(1) of, and paragraph 21(b) of Schedule 7 to, the European Union (Withdrawal) Act 2018(1).

The requirements of paragraph 3(2) of Schedule 7 to that Act (relating to the appropriate Parliamentary procedure for these Regulations) have been satisfied.

Citation, commencement and interpretation

1.—(1) These Regulations may be cited as the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019.

(2) These Regulations come into force on the twentieth day after exit day.

(3) In these Regulations, “the NIS Regulations” means the Network and Information Systems Regulations 2018(2).

Amendments of retained EU law

2.  In the Schedule—

(a)Part 1 amends domestic legislation (the NIS Regulations);

(b)Part 2 amends or revokes retained direct EU legislation.

Margot James

Minister for Digital and the Creative Industries

Department for Digital, Culture, Media and Sport

25th March 2019

Regulation 2

SCHEDULEAmendments of retained EU law

PART 1Domestic legislation

1.  The NIS Regulations are amended as follows.

2.  In regulation 1, after the definition of “the Commission”, insert—

“EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact..

3.  In regulation 2—

(a)omit paragraph (6);

(b)in paragraph (7), omit “or communicating it to the Commission”.

4.  In regulation 3(3)—

(a)in subparagraph (c), omit “, including an indication of the importance of each operator in relation to the subsector in relation to which it provides an essential service”;

(b)omit subparagraph (g)(ii);

(c)after paragraph (3), insert—

(3A) In relation to the subsector for which it is designated under paragraph (1), the competent authority may consult and co-operate with a public authority in the EU if it is in the interests of effective regulation of that subsector (whether inside or outside the United Kingdom)..

5.  In regulation 4—

(a)for paragraph (2), substitute—

(2) The SPOC may liaise with the relevant authorities in any Member State of the EU, the Cooperation Group and the CSIRTs network if it considers it appropriate.;

(b)after paragraph (2), insert—

(2A) The SPOC must—

(a)consult and co-operate, as it considers appropriate, with relevant law enforcement authorities;

(b)co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.;

(c)in paragraph (3)—

(i)in words before sub-paragraph (a), for “must”, substitute “may, if it considers it appropriate to do so”;

(ii)in subparagraph (b), omit “, indicating their importance in relation to that sector”;

(d)omit paragraphs (4) and (5).

6.  In regulation 5—

(a)in paragraph (2), omit subparagraph (e);

(b)for paragraph (3) substitute—

(3) The CSIRT may co-operate with or participate in international co-operation networks (including the CSIRTs network) if the CSIRT considers it appropriate to do so..

7.  In regulation 6—

(a)in paragraph (1), for “the Commission and the relevant authorities in other Member States”, substitute “and public authorities in the EU”;

(b)in paragraph (2), for “the Commission or the relevant authorities in other Member States” substitute “a public authority in the EU”.

8.  Omit regulation 8(7).

9.  Omit regulation 9(5).

10.  For regulation 11(6) substitute—

(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT may inform the relevant authorities in a Member State if the CSIRT considers that the incident has a significant impact on the continuity of an essential service provision in that Member State..

11.  In regulation 12—

(a)in paragraph (1), for “European Union” substitute “United Kingdom”;

(b)omit paragraphs (10) and (11);

(c)in paragraph (11), for “paragraph (10)”, substitute “these Regulations”;

(d)in paragraph (14), in the opening words, for “another Member State” substitute “a Member State of the EU”;

(e)omit paragraph (17).

12.  For regulation 13 substitute—

Co-operation with the European Union

13.  The Information Commissioner may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the Information Commissioner considers that to do so would be in the interests of effective supervision of digital service providers (whether inside or outside the United Kingdom), including in the event of an incident notified under regulation 12(3)..

13.  In regulation 25—

(a)in paragraph (1)(a), after “these Regulations” insert “and in EU Regulation 2018/151”;

(b)omit paragraph (3).

PART 2Retained direct EU legislation

Commission Implementing Regulation (EU) 2018/151

14.—(1) Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact is amended as follows.

(2) For “digital service provider”, in each place it occurs, substitute “RDSP”.

(3) For “digital service providers”, in each place it occurs, substitute “RDSPs”.

(4) After Article 1, insert—

Article 1A
Interpretation

In this Regulation—

“NIS Regulations” means the Network and Information Systems Regulations 2018;

“RDSP” has the same meaning as in the NIS Regulations..

(5) In Article 2—

(a)In paragraph 1, for “point (a) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(i) of the NIS Regulations”;

(b)in paragraph 2, for “point (b) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(ii) of the NIS Regulations”;

(c)in paragraph 3, for “point (c) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(iii) of the NIS Regulations”;

(d)in paragraph 4, for “point (d) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(iv) of the NIS Regulations”;

(e)in paragraph 5, for “point (e) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(v) of the NIS Regulations”.

(6) In Article 3—

(a)in paragraph 1, for “point (a) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(i) of the NIS Regulations”;

(b)in paragraph 2, for “point (b) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(ii) of the NIS Regulations”;

(c)in paragraph 3—

(i)for “point (c) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(iii) of the NIS Regulations”;

(ii)after “Member States”, insert “of the EU”;

(d)in paragraph 4, for “point (d) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(iv) of the NIS Regulations”;

(e)in paragraph 5, for “point (e) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(v) of the NIS Regulations”.

(7) In Article 4—

(a)in paragraph 1—

(i)in point (a), before “Union” insert “European”;

(ii)in point (b), before “Union” insert “European”;

(iii)for point (d)—

(aa)before “Union” insert “European”;

(bb)for “EUR 1000 000” substitute “£880,000”;

(b)omit paragraph 2.

(8) After Article 5, omit the words from “This Regulation” to “Member States.”.

Regulation (EU) No 526/2013

15.  Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 is revoked.

Revocation of provision of EEA agreement

16.  In Annex 11 of the EEA Agreement, so far as it forms part of domestic law on and after exit day by virtue of section 3(1) of the European Union (Withdrawal) Act 2018, point 5cp is revoked insofar as it is retained EU law.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations are made in exercise of the powers conferred by section 8(1) of the European Union (Withdrawal) Act 2018 (c. 16) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under paragraphs (a), (b), (c), (d) and (g) of section 8(2)) which apply to this instrument arising from the withdrawal of the UK from the European Union.

Part 1 amends the Network and Information Systems Regulations 2018 (S.I. 2018/506) (the NIS Regulations) and Part 2 amends Commission Implementing Regulation (EU) 2018/151 (OJ No L 26, 31.1.2018, p. 48) as retained by the European Union (Withdrawal) Act 2018 (the Act) and revokes Regulation (EU) No 526/2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (the ENISA Regulation)(OJ L165, 18.6.2013, p.41) as retained by the Act.

The NIS Regulations place obligations on GCHQ and the NIS enforcement authorities (the Information Commissioner and the competent authorities which regulate the operators of essential services) to liaise, consult, co-operate and share information with certain EU bodies. The obligations derive from Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive)(OJ No L194, 19.7.2016, p.1). The UK will no longer be a Member State following the UK’s withdrawal from the EU and it will therefore no longer be appropriate to require these bodies to carry out these functions. These Regulations therefore amend the NIS Regulations so as to remove those obligations whilst retaining the ability of these bodies to continue to exercise those functions if required. These amendments are necessary in order to remove these deficient provisions from the UK statute book.

Regulation 2 of the NIS Regulations is amended so as to remove the obligation on UK ministers to communicate the NIS national strategy to the Commission. These amendments are necessary in order to remove these deficient provisions from the UK statute book.

Commission Implementing Regulation (EU) 2018/151 is amended so as to remove references to EU based services providers and to convert from Euros into sterling. These amendments are necessary in order to remove these deficient provisions from the UK statute book.

The ENISA Regulation is being revoked because it establishes and confers functions upon the European Union Agency for Network and Information Security (ENISA), which is an EU body. The Regulation is retained by the Act and cannot operate to have any effect in UK law. It is therefore being revoked so as to remove it from the UK statute book.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private or voluntary sector is foreseen.

An Explanatory Memorandum is published alongside the instrument at www.legislation.gov.uk.

The EU instruments referred to above are published at http://eur-lex.europa.eu.

(2)

S.I. 2018/506. This instrument was amended by S.I. 2018/629.

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Memorandum

Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as made version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources