Draft Regulations laid before Parliament under paragraph 1(1) of Schedule 7 to the European Union (Withdrawal) Act 2018, for approval by resolution of each House of Parliament.

2021 No. 000

Exiting The European Union

Electronic Communications

The Network and Information Systems (EU Exit) (Amendment) Regulations 2021

Made***

Coming into force***

The Secretary of State makes these Regulations in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 20181.

In accordance with paragraph 1(1) of Schedule 7 to that Act, a draft of this instrument has been laid before Parliament and approved by a resolution of each House of Parliament.

Citation and commencement1.

These Regulations may be cited as the Network and Information Systems (EU Exit) (Amendment) Regulations 2021 and come into force twenty-eight days after the day on which they are made.

Extent and application2.

(1)

These Regulations extend to England and Wales, Scotland and Northern Ireland.

(2)

These Regulations apply to—

(a)

the United Kingdom, including its internal waters;

(b)

the territorial sea adjacent to the United Kingdom2; and

(c)

the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 19643.

Amendment of the Network and Information Systems Regulations 20183.

(1)

Regulation 12 of the Network and Information Systems Regulations 20184 (relevant digital service providers) is amended as follows.

(2)

For paragraph (7)(b) substitute—

“(b)
have regard to any relevant guidance published by the Information Commissioner.”.

Amendment of Commission Implementing Regulation (EU) 2018/1514.

(1)

Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact is amended as follows5.

(2)

In Article 2(5) for the words from “Pursuant to” to the end of the paragraph substitute “United Kingdom, European and internationally accepted standards and specifications relevant to the security of network and information systems may also be used.”.

(3)

In Article 3(3) for “Member States of the EU” substitute “areas of the United Kingdom”.

(4)

Omit Article 4.

Name

Title

Department for Digital, Culture, Media and Sport

Address

Date

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations are made in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018 (c. 16) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(d)) arising from the withdrawal of the United Kingdom from the European Union.

These Regulations amend both the retained EU law version of Commission Implementing Regulation (EU) 2018/151 and the Network and Information Systems Regulations 2018 (S.I. 2018/506) (which relate to securing network and information systems) by amending and removing certain criteria for managing and reporting cyber risks that apply to digital service providers where those criteria are no longer appropriate now that the United Kingdom has left the European Union. In particular, thresholds for reporting cyber incidents that were set by reference to the impact of the incident on the European Union’s population have been removed and these thresholds will instead be set in guidance.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sectors is foreseen.