- Latest available (Revised)
- Original (As adopted by EU)
Commission Implementing Regulation (EU) 2018/151Show full title
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
You are here:
- Regulations originating from the EU
- 2018 No. 151
- Introduction
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
Opening Options
More Resources
This is a Regulation originating from the EU
This is a legislation item that originated from the EU
After exit day there will be three versions of this legislation to consult for different purposes. The legislation.gov.uk version is the version that applies in the UK. The EU Version currently on EUR-lex is the version that currently applies in the EU i.e you may need this if you operate a business in the EU.
The web archive version is the official version of this legislation item as it stood on exit day before being published to legislation.gov.uk and any subsequent UK changes and effects applied. The web archive also captured associated case law and other language formats from EUR-Lex.
Changes over time for: Introductory Text
Changes to legislation:
There are outstanding changes not yet made to Commission Implementing Regulation (EU) 2018/151. Any changes that have already been made to the legislation appear in the content and are referenced with annotations.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Changes and effects yet to be applied to the whole legislation item and associated provisions
- Signature words omitted by S.I. 2019/653 Sch. para. 14(8)
- Art. 1A inserted by S.I. 2019/653 Sch. para. 14(4)
- Art. 4(1)(a) word inserted by S.I. 2019/653 Sch. para. 14(7)(a)(i)
- Art. 4(1)(b) word inserted by S.I. 2019/653 Sch. para. 14(7)(a)(ii)
- Art. 4(1)(d) sum substituted by S.I. 2019/653 Sch. para. 14(7)(a)(iii)
- Art. 4(1)(d) word inserted by S.I. 2019/653 Sch. para. 14(7)(a)(iii)
Commission Implementing Regulation (EU) 2018/151
of 30 January 2018
laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union(1), and in particular Article 16(8) thereof,
Whereas:
(1) In accordance with Directive (EU) 2016/1148, digital service providers remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risk posed to the security of their network and information systems, as long as those measures ensure an appropriate level of security and take into account the elements provided for in that Directive.
(2) When identifying the appropriate and proportionate technical and organisational measures, the digital service provider should approach information security in a systematic way, using a risk-based approach.
(3) In order to ensure the security of systems and facilities, digital service providers should perform assessment and analysis procedures. These activities should concern the systematic management of network and information systems, the physical and environmental security, the security of supplies and the access controls.
(4) When carrying out a risk analysis within the systematic management of network and information systems, digital service providers should be encouraged to identify specific risks and quantify their significance, for example by identifying threats to critical assets and how they may affect the operations, and determining how best to mitigate those threats based on current capabilities and resource requirements.
(5) Policies on human resources could refer to the management of skills, including aspects related to the development of security related skills and awareness-raising. When deciding on an appropriate set of policies on security of operation, the digital service providers should be encouraged to take into account aspects of change management, vulnerability management, formalisation of operating and administrative practices and system mapping.
(6) Policies on security architecture could comprise in particular the segregation of networks and systems as well as specific security measures for critical operations such as administration operations. The segregation of networks and systems could enable a digital service provider to distinguish between elements such as data flows and computing resources that belong to a client, group of clients, the digital service provider or third parties.
(7) The measures taken with regard to the physical and environmental security should ensure the security of an organisation's network and information systems from damage caused by incidents such as theft, fire, flood or other weather effects, telecommunications or power failures.
(8) The security of supplies such as electrical power, fuel or cooling could encompass the security of the supply chain that includes in particular the security of third party contractors and subcontractors and their management. The traceability of critical supplies refers to the ability of the digital service provider to identify and record sources of those supplies.
(9) The users of digital services should encompass natural and legal persons who are customers of or are subscribers to an online marketplace or a cloud computing service, or who are visitors to an online search engine website in order to undertake keyword searches.
(10) When defining the substantiality of the impact of an incident, the cases laid down in this regulation should be considered as a non-exhaustive list of substantial incidents. Lessons should be drawn from the implementation of this Regulation and from the work of the Cooperation Group as regards the collection of best practice information on risks and incidents and the discussions on modalities for reporting notifications of incidents as referred to in points (i) and (m) of Article 11(3) of Directive (EU) 2016/1148. The result could be comprehensive guidelines on quantitative thresholds of notification parameters that may trigger the notification obligation for digital service providers under Article 16(3) of Directive (EU) 2016/1148. Where appropriate, the Commission could also consider reviewing the thresholds currently laid down in this Regulation.
(11) In order to enable competent authorities to be informed about potential new risks, the digital service providers should be encouraged to voluntarily report any incident whose characteristics have been previously unknown to them such as new exploits, attack-vectors or threat actor, vulnerabilities and hazards.
(12) This Regulation should apply on the day following the expiry of the deadline for transposition of Directive (EU) 2016/1148.
(13) The measures provided for in this Regulation are in accordance with the opinion of the Network and Information Systems Security Committee referred to Article 22 of Directive (EU) 2016/1148,
HAS ADOPTED THIS REGULATION:
Options/Help
Print Options
PrintThe Whole Regulation
PrintThis Introductory Text only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.