Search Legislation

The Network and Information Systems Regulations 2018

 Help about what version

What Version

 Help about advanced features

Advanced Features

Changes over time for: The Network and Information Systems Regulations 2018

 Help about opening options

Changes to legislation:

There are outstanding changes not yet made by the legislation.gov.uk editorial team to The Network and Information Systems Regulations 2018. Any changes that have already been made by the team appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.

U.K.

Statutory Instruments

2018 No. 506

Electronic Communications

The Network and Information Systems Regulations 2018

Made

19th April 2018

Laid before Parliament

20th April 2018

Coming into force

10th May 2018

The Secretary of State is a Minister designated F1 for the purposes of section 2(2) of the European Communities Act 1972 F2 (“the 1972 Act”) in relation to electronic communications.

These Regulations make provision for a purpose mentioned in section 2(2) of the 1972 Act and it appears to the Secretary of State that it is expedient for certain references to provisions of EU instruments to be construed as references to those provisions as amended from time to time.

The Secretary of State makes the following Regulations in exercise of the powers conferred by section 2(2) of, and paragraph 1A F3 of Schedule 2 to, the 1972 Act and by section 56 of the Finance Act 1973 F4 (“the 1973 Act”) and, in the case of section 56 of the 1973 Act, with the consent of the Treasury.

F1S.I. 2001/3495. See article 2 of, and Schedule 1 to, these Regulations. There are amendments not relevant to these Regulations.

F21972 c.68. Section 2(2) was amended by section 27(1)(a) of the Legislative and Regulatory Reform Act 2006 (c.51) and by Part 1 of the Schedule to the European Union (Amendment) Act 2008 (c.7). In so far as these Regulations deal with matters that are within the devolved competence of Scottish Ministers, the power of the Secretary of State to make regulations in relation to those matters in or as regards Scotland is preserved by section 57(1) of the Scotland Act 1998 (c.46).

F3Paragraph 1A of Schedule 2 was inserted by section 28 of the Legislative and Regulatory Reform Act 2006 and amended by Part 1 of the Schedule to the European Union (Amendment) Act 2008 and by article 3 of and paragraph 1 of Schedule 1 to SI 2007/1388.

F41973 c.51. Section 56 was amended by S.I. 2011/1043; there are other amendments not relevant to these Regulations.

PART 1U.K.Introduction

Citation, commencement, interpretation and applicationU.K.

1.—(1) These Regulations may be cited as the Network and Information Systems Regulations 2018 and come into force on 10th May 2018.

(2) In these Regulations—

cloud computing service” means a digital service that enables access to a scalable and elastic pool of shareable computing resources;

the Commission” means the Commission of the European Union;

[F5EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact;]

Cooperation Group” means the group established under Article 11(1);

CSIRTs network” means the network established under Article 12(1);

digital service” means a service within the meaning of point (b) of Article 1(1) of Directive 2015/1535 which is of any the following kinds—

(a)

online marketplace;

(b)

online search engine;

(c)

cloud computing service;

digital service provider” means any person who provides a digital service;

Directive 2013/11” means Directive 2013/11/EU of the European Parliament and of the Council on alternative dispute resolution for consumer disputes F6, and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC, as amended from time to time;

Directive 2015/1535” means Directive (EU) 2015/1535 of the European Parliament and of the Council laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services F7, as amended from time to time;

Directive 2016/1148” means Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union F8, as amended from time to time;

Drinking Water Quality Regulator for Scotland” means the person appointed by the Scottish Ministers under section 7(1) of the Water Industry (Scotland) Act 2002 F9;

essential service” means a service which is essential for the maintenance of critical societal or economic activities;

[F10“First-tier Tribunal” has the meaning given by section 3(1) of the Tribunals, Courts and Enforcement Act 2007];

GCHQ” means the Government Communications Headquarters within the meaning of section 3 of the Intelligence Services Act 1994 F11;

incident” means any event having an actual adverse effect on the security of network and information systems;

network and information system” (“NIS”) means—

(a)

an electronic communications network within the meaning of section 32(1) of the Communications Act 2003 F12;

(b)

any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or

(c)

digital data stored, processed, retrieved or transmitted by elements covered under paragraph (a) or (b) for the purposes of their operation, use, protection and maintenance;

[F10“OES” (“operator of an essential service”) means a person who is deemed to be designated as an operator of an essential service under regulation 8(1) or is designated as an operator of an essential service under regulation 8(3);]

online marketplace” means a digital service that allows consumers and/or traders as respectively defined in point (a) and in point (b) of Article 4(1) of Directive 2013/11 to conclude online sales or service contracts with traders either on the online marketplace's website or on a trader's website that uses computing services provided by the online marketplace;

online search engine” means a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found;

F13...

relevant law-enforcement authority” has the meaning given in section 63A(1A) of the Police and Criminal Evidence Act 1984 F14; and

[F15“representative” means any natural or legal person established in the United Kingdom who is able to act on behalf of a digital service provider established outside the United Kingdom with regard to its obligations under these Regulations; and]

risk” means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems.

(3) In these Regulations a reference to—

[F16(a)an Article, Annex or paragraph of an Article or Annex is a reference to the Article, Annex or paragraph as numbered in Directive 2016/1148.]

(b)a numbered regulation, paragraph or Schedule is a reference to the regulation, paragraph or Schedule as numbered in these Regulations;

(c)the relevant authorities in a Member State” is a reference to the designated single point of contact (“SPOC”), computer security incident response team (“CSIRT”) [F17or] national competent authorities for that Member State;

(d)the “designated competent authority for [F18an OES]” is a reference to the competent authority that is designated under regulation 3(1) for the subsector in relation to which [F19that OES] provides an essential service;

(e)a “relevant digital service provider” (“RDSP”) is a reference to a person who provides a digital service in the United Kingdom and satisfies the following conditions—

(i)the head office for that provider is in the United Kingdom or that provider has nominated a representative who is established in the United Kingdom;

(ii)the provider is not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC F20;

(f)the “NIS enforcement authorities” is a reference to the competent authorities designated under regulation 3(1) and the Information Commissioner;

(g)security of network and information systems” means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

(4) Expressions and words used in these Regulations which are also used in Directive 2016/1148 have the same meaning as in Directive 2016/1148.

(5) Nothing in these Regulations prevents a person from taking an action (or not taking an action) which that person considers is necessary for the purposes of safeguarding the United Kingdom's essential State functions, in particular—

(a)safeguarding national security, including protecting information the disclosure of which the person considers is contrary to the essential interests of the United Kingdom's security; and

(b)maintaining law and order, in particular, to allow for the investigation, detection and prosecution of criminal offences F21.

(6) These Regulations apply to—

(a)the United Kingdom, including its internal waters;

(b)the territorial sea adjacent to the United Kingdom;

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964 F22.

F6OJ No L 165, 18.6.2013, p63.

F7OJ No L 241, 17.9.2015, p1.

F8OJ No L 194, 19.7.2016, p1.

F111994 c.13. Section 3 was amended by section 251(1) and (2) of the Investigatory Powers Act 2016 (c. 25).

F122003 c.21. Section 32(1) was amended by regulation 2(1) of, and paragraphs 4 and 9(a) of Schedule 1 to, S.I. 2011/1210.

F141984 c.60. Section 63A(1A) and (1B) were substituted by section 81(2) of the Criminal Justice and Police Act 2001 (c.16). Subsection (1A) was amended by sections 117(5)(b) and 59 of, and paragraphs 43 and 46 of Schedule 4 to, the Serious and Organised Crime and Police Act 2005 (c. 15); and section 15(3) of, and paragraph 186 of Schedule 8 to, the Crime and Courts Act 2013 (c. 22).

F20Commission Recommendation concerning the definition of micro, small and medium-sized enterprises (OJ No. L 124, 20.5.2003, p. 36).

F21See Article 1(6) of Directive 2016/1148.

F221964 c. 29. Section 1(7) of the Continental Shelf Act 1964 was amended by section 37 of, and Schedule 3 to, the Oil and Gas (Enterprise) Act 1982 (c. 23), and section 103 of the Energy Act 2011 (c. 16).

PART 2U.K.The National Framework

The NIS national strategyU.K.

2.—(1) A Minister of the Crown must designate and publish a strategy to provide strategic objectives and priorities on the security of network and information systems in the United Kingdom (“the NIS national strategy”).

(2) The strategic objectives and priorities set out in the NIS national strategy must be aimed at achieving and maintaining a high level of security of network and information systems in—

(a)the sectors specified in column 1 of the table in Schedule 1 (“the relevant sectors”); and

(b)digital services.

(3) The NIS national strategy may be published in such form and manner as the Minister considers appropriate.

(4) The NIS national strategy may be reviewed by the Minister at any time and, if it is revised following such a review, the Minister must designate and publish a revised NIS national strategy as soon as reasonably practicable following that review.

(5) The NIS national strategy must, in particular, address the following matters—

(a)the regulatory measures and enforcement framework to secure the objectives and priorities of the strategy;

(b)the roles and responsibilities of the key persons responsible for implementing the strategy;

(c)the measures relating to preparedness, response and recovery, including cooperation between public and private sectors;

(d)education, awareness-raising and training programmes relating to the strategy;

(e)research and development plans relating to the strategy;

(f)a risk assessment plan identifying any risks; and

(g)a list of the persons involved in the implementation of the strategy.

F23(6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(7) Before publishing the NIS national strategy F24..., the Minister may redact any part of it which relates to national security.

(8) In this regulation “a Minister of the Crown” has the same meaning as in section 8(1) of the Ministers of the Crown Act 1975 F25.

Designation of national competent authoritiesU.K.

3.—(1) The person specified in column 3 of the table in Schedule 1 is designated as the competent authority, for the territorial jurisdiction indicated in that column, and for the subsector specified in column 2 of that table (“the designated competent authorities”).

(2) The Information Commissioner is designated as the competent authority for the United Kingdom for RDSPs.

(3) In relation to the subsector for which it is designated under paragraph (1), the competent authority must—

(a)review the application of these Regulations;

(b)prepare and publish guidance;

(c)keep a list of all the operators of essential services who are designated, or deemed to be designated, under regulation 8 F26...;

(d)keep a list of all the revocations made under regulation 9;

(e)send a copy of the lists mentioned in sub-paragraphs (c) and (d) to GCHQ, as the SPOC designated under regulation 4, to enable it to prepare the report mentioned in regulation 4(3);

(f)consult and co-operate with the Information Commissioner when addressing incidents that result in breaches of personal data; and

(g)in order to fulfil the requirements of these Regulations, consult and co-operate with—

(i)relevant law-enforcement authorities;

F27(ii). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(iii)other competent authorities in the United Kingdom;

(iv)the SPOC that is designated under regulation 4; and

(v)the CSIRT that is designated under regulation 5.

[F28(3A) In relation to the subsector for which it is designated under paragraph (1), the competent authority may consult and co-operate with a public authority in the EU if it is in the interests of effective regulation of that subsector (whether inside or outside the United Kingdom).]

(4) In relation to digital services, the Information Commissioner must—

(a)review the application of these Regulations;

(b)prepare and publish guidance; and

(c)consult and co-operate with the persons mentioned in paragraph (3)(g), in order to fulfil the requirements of these Regulations.

(5) The guidance that is published F29... under paragraph (3)(b) or (4)(b) may be—

(a)published in such form and manner as the competent authority or Information Commissioner considers appropriate; and

(b)reviewed at any time, and if it is revised following such a review, the competent authority or Information Commissioner must publish revised guidance as soon as reasonably practicable.

(6) The competent authorities designated under paragraph (1) and the Information Commissioner must have regard to the national strategy that is published under regulation 2(1) when carrying out their duties under these Regulations.

Designation of the single point of contactU.K.

4.—(1) GCHQ is designated as the SPOC on the security of network and information systems for the United Kingdom.

[F30(2) The SPOC may liaise with the relevant authorities in any Member State of the EU, the Cooperation Group and the CSIRTs network if it considers it appropriate.]

[F31(2A) The SPOC must—

(a)consult and co-operate, as it considers appropriate, with relevant law enforcement authorities;

(b)co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.]

(3) The SPOC [F32may, if it considers it appropriate to do so] submit reports to—

(a)the Cooperation Group based on the incident reports it received under regulation 11(9) and 12(15), including the number of notifications and the nature of notified incidents; and

(b)the Commission identifying the number of operators of essential services for each subsector listed in Schedule 2 F33....

F34(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F34(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Designation of computer security incident response teamU.K.

5.—(1) GCHQ is designated as the CSIRT for the United Kingdom in respect of the relevant sectors and digital services.

(2) The CSIRT must—

(a)monitor incidents in the United Kingdom;

(b)provide early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents;

(c)respond to any incident notified to it under regulation 11(5)(b) or regulation 12(8);

(d)provide dynamic risk and incident analysis and situational awareness;

F35(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(f)establish relationships with the private sector to facilitate co-operation with that sector;

(g)promote the adoption and use of common or standardised practices for—

(i)incident and risk handling procedures, and

(ii)incident, risk and information classification schemes; and

(h)co-operate with NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.

[F36(3) The CSIRT may co-operate with or participate in international co-operation networks (including the CSIRTs network) if the CSIRT considers it appropriate to do so.]

Information sharing – enforcement authoritiesU.K.

6.—(1) The NIS enforcement authorities may share information with [F37each other, relevant law-enforcement authorities,] the CSIRT, [F38and public authorities in the EU] if that information sharing is—

[F39(a)necessary for—

(i)the purposes of these Regulations or of facilitating the performance of any functions of a NIS enforcement authority under or by virtue of these Regulations or any other enactment;

(ii)national security purposes; or

(iii)purposes related to the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution;]

(b)limited to information which is relevant and proportionate to the purpose of the information sharing.

[F40(1A) Information shared under paragraph (1) may not be further shared by the person with whom it is shared under that paragraph for any purpose other than a purpose mentioned in that paragraph unless otherwise agreed by the NIS enforcement authority.]

(2) When sharing information with [F41a public authority in the EU] under paragraph (1), the NIS enforcement authorities are not required to share—

(a)confidential information, or

(b)information which may prejudice the security or commercial interests of operators of essential services or digital service providers.

Information sharing – Northern IrelandU.K.

7.—(1) In order to facilitate the exercise of the Northern Ireland competent authority's functions under these Regulations—

(a)a Northern Ireland Department may share information with the Northern Ireland competent authority; and

(b)the Northern Ireland competent authority may share information with a Northern Ireland Department.

(2) In this regulation—

(a)the Northern Ireland competent authority” means the competent authority that is specified for Northern Ireland in column 3 of the table in Schedule 1 in relation to the subsectors specified in column 2 of that table; and

(b)a Northern Ireland Department” means a department mentioned in Schedule 1 to the Departments Act (Northern Ireland) 2016 F42.

PART 3U.K.Operators of essential services

Identification of operators of essential servicesU.K.

8.—(1) If a person provides an essential service of a kind referred to in F43... Schedule 2 and that service—

(a)relies on network and information systems; and

(b)satisfies a threshold requirement described for that kind of essential service,

that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.

[F44(1A) Paragraph (1) does not apply to a network provider or service provider who is subject to the requirements of sections 105A to 105C of the Communications Act 2003 and in this paragraph “network provider” and “service provider” have the meanings given in section 105A(5) of that Act.]

(2) A person who falls within paragraph (1) must notify the designated competent authority [F45in writing] of that fact before the notification date.

(3) Even if a person does not meet the threshold requirement mentioned in paragraph (1)(b), a competent authority may designate that person as an OES for the subsector in relation to which that competent authority is designated under regulation 3(1), if the following conditions are met—

(a)that person provides an essential service of a kind specified in F46... Schedule 2 for the subsector in relation to which the competent authority is designated under regulation 3(1);

(b)the provision of that essential service by that person relies on network and information systems; and

(c)the competent authority concludes that an incident affecting the provision of that essential service by that person is likely to have significant disruptive effects on the provision of the essential service.

(4) In order to arrive at the conclusion mentioned in paragraph (3)(c), the competent authority must have regard to the following factors—

(a)the number of users relying on the service provided by the person;

(b)the degree of dependency of the other relevant sectors on the service provided by that person;

(c)the likely impact of incidents on the essential service provided by that person, in terms of its degree and duration, on economic and societal activities or public safety;

(d)the market share of the essential service provided by that person;

(e)the geographical area that may be affected if an incident impacts on the service provided by that person;

(f)the importance of the provision of the service by that person for maintaining a sufficient level of that service, taking into account the availability of alternative means of essential service provision;

(g)the likely consequences for national security if an incident impacts on the service provided by that person; and

(h)any other factor the competent authority considers appropriate to have regard to, in order to arrive at a conclusion under this paragraph.

(5) A competent authority must designate an OES under paragraph (3) by notice in writing served on the person who is to be designated and provide reasons for the designation in the notice.

(6) Before a competent authority designates a person as an OES under paragraph (3), the authority may—

F47(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)invite the person to submit any written representations about the proposed decision to designate it as an OES.

F48(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F49(7A) If a person has reasonable grounds to believe that they no longer fall within paragraph (1) or that the conditions for designation under paragraph (3) are no longer met in relation to them, they must as soon as practicable notify the designated competent authority in writing and provide with that notification evidence supporting that belief.

(7B) A competent authority that receives from a person a notification and supporting evidence referred to in paragraph (7A) must have regard to that notification and evidence in considering whether to revoke that person’s designation.]

(8) A competent authority must maintain a list of all the persons who are deemed to be designated under paragraph (1) or designated under paragraph (3) for the subsectors in relation to which that competent authority is designated under regulation 3(1).

(9) The competent authority must review the list mentioned in paragraph (8) at regular intervals and in accordance with paragraph (10).

(10) The first review under paragraph (9) must take place before 9th May 2020, and subsequent reviews must take place, at least, biennially.

(11) In this regulation [F50the “notification date” means]

(a)10th August 2018, in the case of a person who falls within paragraph (1) on the date these Regulations come into force; or

(b)in any other case, the date three months after the date on which the person falls within that paragraph.

[F51Nomination by an OES of a person to act on its behalf in the United KingdomU.K.

8A.(1) This regulation applies to any OES who has their head office outside the United Kingdom and—

(a)provides an essential service of a kind referred to in one or more of paragraphs 1, 2, 3 and 10 of Schedule 2 (energy or digital infrastructure sector) within the United Kingdom; or

(b)provides an essential service of a kind referred to in one or more of paragraphs 4 to 9 of Schedule 2 (transport, health or drinking water supply and distribution sector) within the United Kingdom and falls within paragraph (2).

(2) An OES falls within this paragraph if they have received a notice in writing from a designated competent authority for the OES requiring them to comply with this regulation.

(3) An OES to whom this regulation applies must—

(a)nominate in writing a person in the United Kingdom with the authority to act on their behalf under these Regulations, including for the service of documents for the purposes of regulation 24 (a “nominated person”);

(b)before the relevant date, notify the designated competent authority for the OES in writing of—

(i)their name;

(ii)the name and address of the nominated person; and

(iii)up-to-date contact details of the nominated person (including email addresses and telephone numbers).

(4) The OES must notify the designated competent authority for the OES of any changes to the information notified under paragraph (3)(b) as soon as practicable and in any event within seven days beginning with the day on which the change took effect.

(5) The designated competent authority for the OES and GCHQ may, for the purposes of carrying out their responsibilities under these Regulations, contact the nominated person instead of or in addition to the OES.

(6) A nomination under paragraph (3) is without prejudice to any legal action which could be initiated against the OES.

(7) In this regulation, “relevant date” means the date three months after—

(a)the first day (including that day) on which the OES was deemed to be designated as an OES under regulation 8(1); or

(b)the day (including that day) on which the OES was designated as an OES under regulation 8(3),

unless the first day referred to in sub-paragraph (a) or the day referred to in sub-paragraph (b) was before 31st December 2020 in which case it means 31st March 2021.]

RevocationU.K.

9.—(1) Even if a person [F52is deemed to be designated as an OES under regulation 8(1), the designated competent authority for the OES] may revoke the deemed designation [F53, by notice in writing], if the authority concludes that an incident affecting the provision of that essential service by that person is not likely to have significant disruptive effects on the provision of the essential service.

(2) [F54The designated competent authority for an OES may revoke the designation of that OES] under regulation 8(3), by notice [F55in writing], if the conditions mentioned in that regulation are no longer met by that person.

(3) Before revoking a deemed designation of a person [F56as an OES] under regulation 8(1), or a designation of a person [F56as an OES] under regulation 8(3), the competent authority must—

(a)serve a notice in writing of proposed revocation on that person;

(b)provide reasons for the proposed decision;

(c)invite that person to submit any written representations about the proposed decision within such time period as may be specified by the competent authority; and

(d)consider any representations submitted by the person under sub-paragraph (c) before a final decision is taken to revoke the designation.

(4) In order to arrive at the conclusion mentioned in paragraph (1), the competent authority must have regard to the factors mentioned in regulation 8(4).

F57(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The security duties of operators of essential servicesU.K.

10.—(1) An OES must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.

(2) An OES must take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services.

(3) The measures taken under paragraph (1) must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.

(4) Operators of essential services must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed by paragraphs (1) and (2).

The duty to notify incidentsU.K.

11.—(1) An OES must notify the designated competent authority [F58for the OES in writing] about any incident which has a significant impact on the continuity of the essential service which that OES provides (“a network and information systems (“NIS”) incident”).

(2) In order to determine the significance of the impact of an incident an OES must have regard to the following factors—

(a)the number of users affected by the disruption of the essential service;

(b)the duration of the incident; and

(c)the geographical area affected by the incident.

(3) The notification mentioned in paragraph (1) must—

(a)provide the following—

(i)the operator's name and the essential services it provides;

(ii)the time the NIS incident occurred;

(iii)the duration of the NIS incident;

(iv)information concerning the nature and impact of the NIS incident;

(v)information concerning any, or any likely, cross-border impact of the NIS incident; and

(vi)any other information that may be helpful to the competent authority; and

(b)be provided to the competent authority—

(i)without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred; and

(ii)in such form and manner as the competent authority determines.

(4) The information to be provided by an OES under paragraph (3)(a) is limited to information which may reasonably be expected to be within the knowledge of that OES.

(5) After receipt of a notification under paragraph (1), the competent authority must—

(a)assess what further action, if any, is required in respect of that incident; and

(b)share the NIS incident information with the CSIRT as soon as reasonably practicable.

[F59(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT may inform the relevant authorities in a Member State if the CSIRT considers that the incident has a significant impact on the continuity of an essential service provision in that Member State.]

(7) After receipt of a notification under paragraph (1), the competent authority or CSIRT may inform—

(a)the OES who provided the notification about any relevant information that relates to the NIS incident, including how it has been followed up, in order to assist that operator to deal with that incident more effectively or prevent a future incident; and

(b)the public about the NIS incident, as soon as reasonably practicable, if the competent authority or CSIRT is of the view that public awareness is necessary in order to handle that incident or prevent a future incident.

(8) Before the competent authority or CSIRT informs the public about a NIS incident under paragraph (7)(b), the competent authority or CSIRT must consult each other and the OES who provided the notification under paragraph (1).

(9) The competent authority must provide an annual report to the SPOC identifying the number and nature of NIS incidents notified to it under paragraph (1).

(10) The first report mentioned in paragraph (9) must be submitted on or before 1st July 2018 and subsequent reports must be submitted at annual intervals.

(11) The CSIRT is not required to share information under paragraph (6) if the information contains—

(a)confidential information; or

(b)information which may prejudice the security or commercial interests of an OES.

(12) Operators of essential services must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed by paragraphs (1) to (4).

PART 4U.K.Digital Services

Relevant digital service providersU.K.

12.—(1) A RDSP must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide, within the [F60United Kingdom], the following services—

(a)online marketplace;

(b)online search engine; or

(c)cloud computing service.

(2) The measures taken by a RDSP under paragraph (1) must—

(a)(having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed;

(b)prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services; and

(c)take into account the following elements as specified in Article 2 of EU Regulation 2018/151—

(i)the security of systems and facilities;

(ii)incident handling;

(iii)business continuity management;

(iv)monitoring auditing and testing; and

(v)compliance with international standards.

(3) A RDSP must notify the Information Commissioner [F61in writing] about any incident having a substantial impact on the provision of any of the digital services mentioned in paragraph (1) that it provides.

(4) The requirement to notify in paragraph (3) applies only if the RDSP has access to information which enables it to assess whether the impact of an incident is substantial.

(5) The notification mentioned in paragraph (3) must provide the following information—

[F62(a)the RDSP’s name and the digital services that it provides;]

(b)the time the F63... incident occurred;

(c)the duration of the F63... incident;

(d)information concerning the nature and impact of the F63... incident;

(e)information concerning any, or any likely, cross-border impact of the F63... incident; and

(f)any other information that may be helpful to the [F64Information Commissioner].

(6) The notification under paragraph (3) must—

(a)be made without undue delay and in any event no later than 72 hours after the RDSP is [F65first] aware that an incident has occurred; and

(b)contain sufficient information to enable the Information Commissioner to determine the significance of any cross-border impact.

(7) In order to determine whether the impact of an incident is substantial the RDSP must—

(a)take into account the following parameters, as specified in Article 3 of EU Regulation 2018/151—

(i)the number of users affected by the incident and, in particular, the users relying on the digital service for the provision of their own services;

(ii)the duration of the incident;

(iii)the geographical area affected by the incident;

(iv)the extent of the disruption to the functioning of the service;

(v)the extent of the impact on economic and societal activities; and

(b)assess whether at least one of [F66the] situations described in Article 4 of EU Regulation 2018/151 has taken place.

(8) After receipt of a notification under paragraph (3) the Information Commissioner must share the incident notification with the CSIRT as soon as reasonably practicable.

(9) If an OES is reliant on a RDSP to provide an essential service, the operator must notify the [F67designated competent authority for the OES in writing] in relation to it about any significant impact on the continuity of the service it provides caused by an incident affecting the RDSP [F68without undue delay].

F69(10) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(11) The Information Commissioner is not required to share information under [F70these Regulations] if the information contains—

(a)confidential information; or

(b)information which may prejudice the security or commercial interests of a RDSP.

(12) If the Information Commissioner or CSIRT—

(a)consults with the RDSP responsible for an incident notification under paragraph (3), and

(b)is of the view that public awareness about that incident is necessary to prevent or manage it, or is in the public interest,

the Information Commissioner or CSIRT may inform the public about that incident or [F71the Commissioner may] direct the RDSP responsible for the notification to do so.

(13) Before the Information Commissioner or CSIRT informs the public about an incident notified under paragraph (3), the Information Commissioner or CSIRT must consult each other and the RDSP who provided the notification.

(14) The Information Commissioner may inform the public about an incident affecting digital services in [F72a Member State of the EU] if—

(a)the relevant authorities in the affected Member State notify the Information Commissioner about the incident;

(b)the Commissioner consults with those relevant authorities; and

(c)the Commissioner is of the view mentioned in [F73paragraph (12)(b)].

(15) The Information Commissioner must provide an annual report to the SPOC identifying the number and nature of incidents notified to it under paragraph (3).

(16) The first report mentioned in paragraph (15) must be submitted on or before 1st July 2018 and subsequent reports must be submitted at annual intervals after that date.

F74(17) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F75Co-operation with the European UnionU.K.

13.  The Information Commissioner may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the Information Commissioner considers that to do so would be in the interests of effective supervision of digital service providers (whether inside or outside the United Kingdom), including in the event of an incident notified under regulation 12(3).]

Registration with the Information CommissionerU.K.

14.—(1) The Information Commissioner must maintain a register of all RDSPs that have been notified to it.

(2) A RDSP must submit the following details to the Information Commissioner before the registration date for the purpose of maintaining the register mentioned in paragraph (1)—

(a)the name of the RDSP;

(b)the address of its head office, or of its nominated representative; and

(c)up-to-date contact details (including email addresses and telephone numbers).

(3) A RDSP must notify the Information Commissioner [F76in writing] about any changes to the details it submitted under paragraph (2) as soon as possible, and in any event within three months of the date on which the change took effect.

(4) In this regulation, the “registration date” means—

(a)1st November 2018, in the case of a RDSP who satisfies the conditions mentioned in regulation 1(3)(e) on the coming into force date of these Regulations, or

(b)in any other case, the date three months after the RDSP satisfies those conditions.

[F77Representatives of digital service providers established outside the United KingdomU.K.

14A.(1) This regulation applies to any digital service provider which—

(a)has its head office outside the United Kingdom, but which offers digital services within the United Kingdom; and

(b)is not a small or micro enterprise as defined in Commission Recommendation 2003/361/EC.

(2) The digital service provider must—

(a)nominate in writing a representative in the United Kingdom; and

(b)notify the Information Commissioner of the name and contact details of that representative.

(3) The digital service provider must comply with paragraph (2)—

(a)in the case of a provider which is offering digital services within the United Kingdom on the coming into force date of these regulations, within three months of the date on which these regulations come into force; or

(b)in any other case, within three months of the provider first offering digital services in the United Kingdom.

(4) The Information Commissioner or GCHQ may contact the representative instead of or in addition to the digital service provider for the purposes of ensuring compliance with these Regulations.

(5) A nomination under paragraph (1) is without prejudice to any legal action which could be initiated against the nominating digital service provider.]

PART 5U.K.Enforcement and penalties

Information noticesU.K.

15.—(1) In order to assess whether a person should be an OES, a designated competent authority may serve an information notice [F78in writing] upon any person requiring that person to provide it with [F79all such information as] it reasonably requires to establish whether—

(a)a threshold requirement described in F80... Schedule 2 is met; or

(b)the conditions mentioned in regulation 8(3) are met.

(2) A designated competent authority may serve an information notice [F81in writing] upon an OES requiring [F82the OES] to provide it with [F83all such information as] it reasonably requires [F84for one or more of the following purposes]

[F85(a)to assess the security of the OES’s network and information systems;

(b)to establish whether there have been any events that the authority has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

(c)to identify any failure of the OES to comply with any duty set out in these Regulations;

(d)to assess the implementation of the OES’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.]

(3) The Information Commissioner may serve upon a RDSP an information notice [F86in writing] requiring that RDSP to provide the Information Commissioner with [F87all such information as] the Information Commissioner reasonably requires [F88for one or more of the following purposes]

[F89(a)to assess the security of the RDSP’s network and information systems;

(b)to establish whether there have been any events that the Commissioner has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

(c)to identify any failure of the RDSP to comply with any duty set out in these Regulations;

(d)to assess the implementation of the RDSP’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.]

F90(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5) An information notice must—

(a)describe the information that is required by the designated competent authority or the Information Commissioner;

(b)provide the reasons for requesting such information;

(c)specify the form and manner in which the requested information is to be provided; and

(d)specify the time period within which the information must be provided.

[F91(5A) A person upon whom an information notice has been served under this regulation must comply with the requirements of the notice.]

(6) In a case falling within paragraph (1) the information notice may—

(a)be served by publishing it in such manner as the designated competent authority considers appropriate in order to bring it to the attention of any persons who are described in the notice as the persons from whom the information is required; and

(b)take the form of a general request for a certain category of persons to provide the information that is specified in the notice.

(7) A competent authority or the Information Commissioner may withdraw an information notice by written notice to the person on whom it was served.

(8) An information notice under paragraph (1) may not be served upon the SPOC or CSIRT.

Power of inspectionU.K.

16.—(1) [F92The designated competent authority for an OES may—]

(a)conduct [F93all or any part of] an inspection;

(b)appoint a person to conduct [F94all or any part of] an inspection on its behalf; F95...

(c)direct the OES to appoint a person who is approved by that authority to conduct [F96all or any part of] an inspection on its behalf,

F97....

(2) The Information Commissioner may—

(a)conduct [F98all or any part of] an inspection;

(b)appoint a person to conduct [F99all or any part of] an inspection on its behalf; F100...

(c)direct that a RDSP appoint a person who is approved by the Information Commissioner to conduct [F101all or any part of] an inspection on its behalf,

F102....

(3) For the purposes of carrying out the inspection under paragraph (1) or (2), the OES or RDSP (as the case may be) must—

(a)pay the reasonable costs of the inspection [F103if so required by the relevant competent authority or the Information Commissioner];

(b)co-operate with the [F104inspector];

(c)provide the inspector with F105... access to their premises [F106in accordance with paragraph (5)(a)];

[F107(d)allow the inspector to examine, print, copy or remove any document or information, and examine or remove any material or equipment, in accordance with paragraph (5)(d);]

(e)allow the inspector access to any person from whom the inspector seeks relevant information for the purposes of the inspection;

[F108(f)not intentionally obstruct an inspector performing their functions under these Regulations; and

(g)comply with any request made by, or requirement of, an inspector performing their functions under these Regulations.]

(4) The [F109relevant] competent authority or Information Commissioner may appoint a person to [F110conduct all or any part of] an inspection under paragraph (1)(b) or (2)(b) on its behalf on such terms and in such a manner as it considers appropriate.

[F111(5) An inspector may—

(a)at any reasonable time enter the premises of an OES or RDSP (except any premises used wholly or mainly as a private dwelling) if the inspector has reasonable grounds to believe that entry to those premises may be necessary or helpful for the purpose of the inspection;

(b)require an OES or RDSP to leave undisturbed and not to dispose of, render inaccessible or alter in any way any material, document, information, in whatever form and wherever it is held (including where it is held remotely), or equipment which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

(c)require an OES or RDSP to produce and provide the inspector with access, for the purposes of the inspection, to any such material, document, information or equipment which is, or which the inspector considers to be, relevant to the inspection, either immediately or within such period as the inspector may specify;

(d)examine, print, copy or remove any document or information, and examine or remove any material or equipment (including for the purposes of printing or copying any document or information) which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

(e)take a statement or statements from any person;

(f)conduct, or direct the OES or RDSP to conduct, tests;

(g)take any other action that the inspector considers appropriate and reasonably required for the purposes of the inspection.

(6) The inspector must—

(a)produce proof of the inspector’s identity if requested by any person present at the premises; and

(b)take appropriate and proportionate measures to ensure that any material, document, information or equipment removed in accordance with paragraph (5)(d) is kept secure from unauthorised access, interference and physical damage.

(7) Before exercising any power under paragraph (5)(b) to (d) or (g), the inspector—

(a)must take such measures as appear to the inspector appropriate and proportionate to ensure that the ability of the OES or RDSP, as the case may be, to comply with any duty set out in these Regulations will not be affected; and

(b)may consult such persons as appear to the inspector appropriate for the purpose of ascertaining the risks, if any, there may be in doing anything which the inspector proposes to do under that power.

(8) Where under paragraph (5)(d) an inspector removes any document, material or equipment, the inspector must provide, to the extent practicable, a notice giving—

(a)sufficient particulars of that document, material or equipment for it to be identifiable; and

(b)details of any procedures in relation to the handling or return of the document, material or equipment.

(9) In this regulation—

(a)a reference to a “test” is a reference to any process which is—

(i)employed to verify assertions about the security of a network or information system; and

(ii)based on interacting with that system, including components of that system,

and includes the exercising of any relevant security or resilience management process;

(b)“inspection” means any activity carried out (including any steps mentioned in paragraph (5)) for the purpose of—

(i)verifying compliance with the requirements of these Regulations; or

(ii)assessing or gathering evidence of potential or alleged failures to comply with the requirements of these Regulations,

including any necessary follow-up activity for either purpose;

(c)“inspector” means any person conducting all or any part of an inspection in accordance with paragraph (1) or (2).]

Enforcement [F112notices] for breach of dutiesU.K.

17.—(1) [F113Subject to paragraph (2A),] the designated competent authority for an OES may serve an enforcement notice upon that OES if the F114... authority has reasonable grounds to believe that the OES has failed to—

[F115(za)notify it under regulation 8(2);

(zb)comply with the requirements stipulated in regulation 8A;]

(a)fulfil the security duties under regulation 10(1) and (2);

(b)notify a NIS incident under regulation 11(1);

(c)comply with the notification requirements stipulated in regulation 11(3);

(d)notify an incident as required by regulation 12(9);

(e)comply with an information notice issued under regulation 15; or

(f)comply with—

(i)a direction given under regulation 16(1)(c), or

(ii)the requirements stipulated in regulation 16(3).

(2) [F116Subject to paragraph (2A),] the Information Commissioner may serve an enforcement notice upon a RDSP if the Commissioner has reasonable grounds to believe that the RDSP has failed to—

(a)fulfil its duties under regulation 12(1) or (2);

(b)notify an incident under regulation 12(3);

(c)comply with the notification requirements stipulated in regulation 12(5);

(d)comply with a direction made by the Information Commissioner under regulation 12(12);

[F117(da)comply with the requirements stipulated in regulation 14A;]

(e)comply with an information notice issued under regulation 15; or

(f)comply with—

(i)a direction given under regulation 16(2)(c), or

(ii)the requirements stipulated in regulation 16(3).

[F118(2A) Before serving an enforcement notice under paragraph (1) or (2), the relevant competent authority or the Information Commissioner must inform the OES or RDSP, in such form and manner as it considers appropriate having regard to the facts and circumstances of the case, of—

(a)the alleged failure; and

(b)how and by when representations may be made in relation to the alleged failure and any related matters.

(2B) When the relevant competent authority or the Information Commissioner informs the OES or RDSP in accordance with paragraph (2A), it may also provide notice of its intention to serve an enforcement notice.

(2C) The relevant competent authority or the Information Commissioner may serve an enforcement notice on the OES or RDSP within a reasonable time, irrespective of whether it has provided any notice in accordance with paragraph (2B), having regard to the facts and circumstances of the case, after it has informed the OES or RDSP in accordance with paragraph (2A).

(2D) The relevant competent authority or the Information Commissioner must have regard to any representations made under paragraph (2A)(b).]

(3) An enforcement notice that is served under paragraph (1) or (2) must be in writing and must specify the following—

(a)the reasons for serving the notice;

(b)the alleged failure which is the subject of the notice; [F119and]

(c)what steps, if any, must be taken to rectify the alleged failure and the time period during which such steps must be taken; F120...

F120(d). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F121(3A) An OES or RDSP upon whom an enforcement notice has been served under paragraph (1) or (2) must comply with the requirements, if any, of the notice regardless of whether the OES or RDSP has paid any penalty imposed on it under regulation 18.]

(4) If the relevant competent authority or Information Commissioner is satisfied that no further action is required, having considered—

(a)[F122any] representations submitted in accordance with paragraph [F123(2A)]; or

(b)any steps taken to rectify the alleged failure;

it must inform the OES or the RDSP, as the case may be, in writing, as soon as reasonably practicable.

(5) The OES or RDSP may request reasons for a decision to take no further action under paragraph (4) within 28 days of being informed of that decision.

(6) Upon receipt of a request under paragraph (5), the relevant competent authority or Information Commissioner must provide written reasons for a decision under paragraph (4) within a reasonable time and in any event no later than 28 days.

PenaltiesU.K.

18.[F124(1) The designated competent authority for an OES may serve a notice of intention to impose a penalty on the OES if it has reasonable grounds to believe that the OES has failed to comply with a duty referred to in regulation 17(1) or the duty set out in regulation 17(3A) and considers that a penalty is warranted having regard to the facts and circumstances of the case.

(2) The Information Commissioner may serve a notice of intention to impose a penalty on a RDSP if it has reasonable grounds to believe that the RDSP has failed to comply with a duty referred to in regulation 17(2) or the duty set out in regulation (3A) and considers that a penalty is warranted having regard to the facts and circumstances of the case.]

(3) A [F125notice of intention to impose a penalty] must be in writing and must specify the following—

(a)the reasons for imposing a penalty;

(b)the sum that is [F126intended] to be imposed as a penalty and how it is to be paid;

(c)the date on which the notice [F127of intention to impose a penalty] is given;

[F128(d)the period within which a penalty will be required to be paid if a penalty notice is served;

(e)that the payment of a penalty under a penalty notice (if any) is without prejudice to the requirements of any enforcement notice (if any); and

(f)how and when representations may be made about the content of the notice of intention to impose a penalty and any related matters.]

[F129(3A) The relevant competent authority may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the OES with a final penalty decision if the authority is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

(3B) The Information Commissioner may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the RDSP with a final penalty decision if the Commissioner is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

(3C) The relevant competent authority or the Information Commissioner may serve a notice of intention to impose a penalty or a penalty notice irrespective of whether it has served or is contemporaneously serving an enforcement notice on the OES or RDSP under regulation 17(1) or (2).

(3D) A penalty notice must—

(a)be given in writing to the OES or RDSP;

(b)include reasons for the final penalty decision;

(c)require the OES or RDSP to pay—

(i)the penalty specified in the notice of intention to impose a penalty; or

(ii)such penalty as the relevant competent authority or the Information Commissioner considers appropriate in the light of any representations made by the OES or RDSP and any steps taken by the OES or RDSP to rectify the failure or to do one or more of the things required by an enforcement notice under regulation 17(3);

(d)specify the period within which the penalty must be paid (“the payment period”) and the date on which the payment period is to commence;

(e)provide details of the appeal process under regulation 19A; and

(f)specify the consequences of failing to make payment within the payment period.

(3E) It is the duty of the OES or RDSP to comply with any requirement imposed by a penalty notice.]

(4) A competent authority or the Information Commissioner may withdraw a penalty notice by informing the person upon whom it was served in writing.

(5) The sum [F130of any penalty imposed] under this regulation must be an amount that—

(a)the competent authority or Information Commissioner determines is appropriate and proportionate to the failure in respect of which it is imposed; and

(b)is in accordance with paragraph (6).

(6) The amount F131... must—

(a)not exceed £1,000,000 for any contravention which the [F132NIS] enforcement authority determines [F133was not a material contravention];

F134(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(c)not exceed £8,500,000 for a material contravention which the [F135NIS] enforcement authority determines [F136does not meet the criteria set out in sub-paragraph (d)]; and

(d)not exceed £17,000,000 for a material contravention which the [F137NIS] enforcement authority determines [F138has or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES or RDSP.]

(7) In this regulation—

[F139(a)“a material contravention” means—

(i)[F140a failure to take, or adequately take, one or more of the steps required under an enforcement notice within the period specified in that notice to rectify a failure described in one or more of—

(aa)sub-paragraphs (a) to (d) of regulation 17(1); or

(bb)sub- paragraphs (a) to (d) of regulation 17(2); or

(ii)where an enforcement notice was not served or where no steps were required to be taken under an enforcement notice, a failure described in one or more of—

(aa)sub-paragraphs (a) to (d) of regulation 17(1); or

(bb)sub-paragraphs (a) to (d) of regulation 17(2).]]

F141(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Independent review of designation decisions and penalty decisionsU.K.

F14219.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F143Appeal by an OES or RDSP to the First-tier TribunalU.K.

19A.(1) An OES may appeal to the First-tier Tribunal against one or more of the following decisions of the designated competent authority for the OES on one or more of the grounds specified in paragraph (3)—

(a)a decision under regulation 8(3) to designate that person as an OES;

(b)a decision under regulation 9(1) or (2) to revoke the designation of that OES;

(c)a decision under regulation 17(1) to serve an enforcement notice on that OES;

(d)a decision under regulation 18(3A) to serve a penalty notice on that OES.

(2) A RDSP may appeal to the First-Tier Tribunal against one or both of the following decisions of the Information Commissioner on one or more of the grounds specified in paragraph (3)—

(a)a decision under regulation 17(2) to serve an enforcement notice on that RDSP;

(b)a decision under regulation 18(3B) to serve a penalty notice on that RDSP.

(3) The grounds of appeal referred to in paragraphs (1) and (2) are—

(a)that the decision was based on a material error as to the facts;

(b)that any of the procedural requirements under these Regulations in relation to the decision have not been complied with and the interests of the OES or RDSP have been substantially prejudiced by the non-compliance;

(c)that the decision was wrong in law;

(d)that there was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the interests of the OES or RDSP.]

[F143Decision of the First-tier TribunalU.K.

19B.(1) The First-tier Tribunal must determine the appeal after considering the grounds of appeal referred to in regulation 19A(3) and by applying the same principles as would be applied by a court on an application for judicial review.

(2) The Tribunal may, until it has determined the appeal in accordance with paragraph (1) and unless the appeal is withdrawn, suspend the effect of the whole or part of any of the following decisions to which the appeal relates—

(a)a decision under regulation 8(3) to designate a person as an OES;

(b)a decision under regulation 9(1) or (2) to revoke the designation of a person as an OES;

(c)a decision under regulation 17(1) to serve an enforcement notice;

(d)a decision under regulation 17(2) to serve an enforcement notice;

(e)a decision under regulation 18(3A) to serve a penalty notice; or

(f)a decision under regulation 18(3B) to serve a penalty notice.

(3) The Tribunal may—

(a)confirm any decision to which the appeal relates; or

(b)quash the whole or part of any decision to which the appeal relates.

(4) Where the Tribunal quashes the whole or part of a decision to which the appeal relates, it must remit the matter back to the designated competent authority for the OES or, as the case may be, the Information Commissioner, with a direction to that authority or the Commissioner to reconsider the matter and make a new decision having regard to the ruling of the Tribunal.

(5) The relevant competent authority or, as the case may be, the Information Commissioner, must have regard to a direction under paragraph (4).

(6) Where the relevant competent authority or, as the case may be, the Information Commissioner, makes a new decision in accordance with a direction under paragraph (4), that decision is to be considered final.]

[F143Enforcement by civil proceedingsU.K.

A20.(1) This regulation applies where—

(a)a designated competent authority for an OES has reasonable grounds to believe that the OES has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A); or

(b)the Information Commissioner has reasonable grounds to believe that a RDSP has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A).

(2) This regulation applies irrespective of whether the OES or RDSP has appealed to the First-tier Tribunal under regulation 19A.

(3) But where an OES or RDSP has appealed to the First-tier Tribunal under regulation 19A and the Tribunal has granted a suspension of the effect of the whole or part of the relevant decision under regulation 19B(2), the relevant competent authority or the Information Commissioner, as the case may be, may not bring or continue proceedings under this regulation in respect of that decision or that part of that decision for as long as the suspension has effect.

(4) Where paragraph (1)(a) applies, the relevant competent authority may commence civil proceedings against the OES—

(a)for an injunction to enforce the duty in regulation 17(3A);

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

(c)for any other appropriate remedy or relief.

(5) Where paragraph (1)(b) applies, the Information Commissioner may commence civil proceedings against the RDSP—

(a)for an injunction to enforce the duty in regulation 17(3A);

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

(c)for any other appropriate remedy or relief.

(6) No civil proceedings may be commenced under this regulation before the end of a period of 28 days beginning with the day on which the last relevant enforcement notice was served on the OES or, as the case may be, RDSP.

(7) In this regulation, a reference to civil proceedings is a reference to proceedings, other than proceedings in respect of an offence, before a civil court in the United Kingdom.]

Enforcement of penalty noticesU.K.

20.—(1) This paragraph applies where a sum is payable to an enforcement authority as a penalty under regulation 18.

(2) In England and Wales the penalty is recoverable as if it were payable under an order of the county court or of the High Court.

(3) In Scotland the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom.

(4) In Northern Ireland the penalty is recoverable as if it were payable under an order of a county court or of the High Court.

(5) Where action is taken under this paragraph for the recovery of a sum payable as a penalty under regulation 18, the penalty is —

(a)in relation to England and Wales, to be treated for the purposes of section 98 of the Courts Act 2003 F144 (register of judgments and order etc.) as if it were a judgment entered in the county court;

(b)in relation to Northern Ireland, to be treated for the purposes of Article 116 of the Judgments Enforcement (Northern Ireland) Order 1981 F145 (register of judgments) as if it were a judgment in respect of which an application has been accepted under Article 22 or 23(1) of that Order.

(6) No action may be taken under this paragraph for the recovery of a sum payable as a penalty under regulation 18 if [F146an appeal has been brought under regulation 19A and the appeal] has not been determined or withdrawn.

F1442003 c. 39. Section 98 was amended by sections 48(1) and 106(2) of, and paragraph 55(1), (2), (3)(a) and (b) of Schedule 8 and paragraph 15 of Schedule 16 to, the Tribunals, Courts and Enforcement Act 2007 (c. 15), and section 17(5) of, and paragraph 40(a) and (c) of Part 2 of Schedule 9 to, the Crime and Courts Act 2013 (c. 22). Further amendments made by the Tribunals, Courts and Enforcement Act 2007 have yet to be brought into force.

PART 6U.K.Miscellaneous

FeesU.K.

21.—(1) A fee is payable by an OES or a RDSP to an enforcement authority, to recover the reasonable costs incurred by, or on behalf of, that authority in carrying out a NIS function in relation to that OES or RDSP.

(2) The fee mentioned in paragraph (1) must be paid to the enforcement authority within 30 days after receipt of the invoice sent by the authority.

(3) The invoice must state the work done and the reasonable costs incurred by, or on behalf of, the enforcement authority, including the time period to which the invoice relates.

(4) An enforcement authority may determine not to charge a fee under paragraph (1) in any particular case.

(5) A fee payable under this regulation is recoverable as a civil debt.

(6) In this regulation—

(a)a “NIS function” means a function that is carried out under these Regulations except any function under regulations 17(1) to (4) and 18 to 20; and

(b)enforcement authority” has the same meaning as in regulation 18(7)(b).

Proceeds of penaltiesU.K.

22.—(1) The sum that is received by a NIS enforcement authority as a result of a penalty notice served under regulation 18 must be paid into the Consolidated Fund unless paragraph (2) applies.

(2) The sum that is received as a result of a penalty notice served under regulation 18 by—

(a)the Welsh Ministers must be paid into the Welsh Consolidated Fund established under section 117 of the Government of Wales Act 2006 F147; and

(b)the Scottish Ministers or the Drinking Water Quality Regulator for Scotland, must be paid into the Scottish Consolidated Fund established under section 64 of the Scotland Act 1998 F148.

F1481998 c. 46. Sub-section 2A of section 64 was inserted by section 16(1) and (2) of the Scotland Act 2016 (c. 11).

Enforcement action – general considerationsU.K.

23.—(1) Before a NIS enforcement authority takes any action under regulation [F14917(1) or (2), 18(3A) or (3B) or A20,] the enforcement authority must consider whether it is reasonable and proportionate, on the facts and circumstances of the case, to take action in relation to the contravention.

(2) The NIS enforcement authority must, in particular, have regard to the following matters—

(a)any representations made by the OES or RDSP, as the case may be, about the contravention and the reasons for it, if any;

(b)any steps taken by the OES or RDSP to comply with the requirements set out in these Regulations;

(c)any steps taken by the OES or RDSP to rectify the contravention;

(d)whether the OES or RDSP had sufficient time to comply with the requirements set out in these Regulations; and

(e)whether the contravention is also liable to enforcement under another enactment.

Service of documentsU.K.

24.—(1) Any document or notice required or authorised by these Regulations to be served on a person may be served by—

(a)delivering it to that person in person;

(b)leaving it at the person's proper address; or

(c)sending it by post or electronic means to that person's proper address.

(2) In the case of a body corporate, a document may be served on a director of that body.

(3) In the case of a partnership, a document may be served on a partner or person having control or management of the partnership business.

(4) If a person has specified an address in the United Kingdom (other than that person's proper address) at which that person or someone on that person's behalf will accept service, that address must also be treated as that person's proper address.

(5) For the purposes of this regulation “proper address” means—

(a)in the case of a body corporate or its director—

(i)the registered or principal office of that body; or

(ii)the email address of the secretary or clerk of that body;

(b)in the case of a partnership, a partner or person having control or management of the partnership business—

(i)the principal office of the partnership; or

(ii)the email address of a partner or a person having that control or management;

(c)in any other case, a person's last known address, which includes an email address.

(6) In this regulation, “partnership” includes a Scottish partnership.

Review and reportU.K.

25.—(1) The Secretary of State must—

(a)carry out a review of the regulatory provision contained in these Regulations [F150and in EU Regulation 2018/151]; and

(b)publish a report setting out the conclusions of that review.

(2) The first report must be published on or before 9th May 2020 [F151, the second report must be published on or before 9th May 2022] and subsequent reports must be published at [F152intervals not exceeding five years].

F153(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F154(4) Section 30(4) of [F155the Small Business, Enterprise and Employment Act 2015] requires that reports published under this regulation must, in particular—

(a)set out the objectives intended to be achieved by the regulatory provision referred to in paragraph (1)(a);

(b)assess the extent to which those objectives are achieved;

(c)assess whether those objectives remain appropriate; and

(d)if those objectives remain appropriate, assess the extent to which they could be achieved in another way which involves less onerous regulatory provision.]

[F154(5) In this regulation “regulatory provision” has the same meaning as in sections 28 to 32 of that Act.]

Matt Hancock

Secretary of State

Department for Digital, Culture, Media and Sport

We consent

Rebecca Harris

Paul Maynard

Two of the Lords Commissioners of Her Majesty's Treasury

Regulation 3

SCHEDULE 1U.K.Designated Competent Authorities

Column 1Relevant sectorsColumn 2subsectorsColumn 3designated competent authorities
EnergyElectricityThe Secretary of State for Business, Energy and Industrial Strategy (England and Wales and Scotland) and the Gas and Electricity Markets Authority (acting jointly).
The Department of Finance (Northern Ireland)

Oil

The Secretary of State for Business, Energy and Industrial Strategy (England and Wales and Scotland)
The Department of Finance (Northern Ireland)
Gas

The Secretary of State for Business, Energy and Industrial Strategy for the essential services specified in Schedule 2, paragraph 3, sub-paragraphs (5) to (8) (England and Wales and Scotland).

Otherwise, the Secretary of State for Business, Energy and Industrial Strategy and The Gas and Electricity Markets Authority (acting jointly).

The Department of Finance (Northern Ireland)
TransportAir TransportThe Secretary of State for Transport and The Civil Aviation Authority (acting jointly) (United Kingdom).

Rail Transport

The Secretary of State for Transport (England and Wales and Scotland)
The Department of Finance (Northern Ireland)
Water TransportThe Secretary of State for Transport (United Kingdom)
Road TransportThe Secretary of State for Transport (England and Wales)
The Scottish Ministers (Scotland)
The Department of Finance (Northern Ireland)
Health SectorHealth care settings (including hospitals, private clinics and online settings)The Secretary of State for Health (England)
The Welsh Ministers (Wales)
The Scottish Ministers (Scotland)
The Department of Finance (Northern Ireland)
Drinking water supply and distributionDrinking water supply and distributionThe Secretary of State for Environment, Food and Rural Affairs (England)
The Welsh Ministers (Wales)
The Drinking Water Quality Regulator for Scotland (Scotland)
The Department of Finance (Northern Ireland)
Digital InfrastructureDigital InfrastructureOffice of Communications (United Kingdom)

Regulation 8

SCHEDULE 2U.K.Essential Services and Threshold Requirements

The electricity subsectorU.K.

1.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electricity subsector.

(2) For the essential service of electricity supply the threshold requirements are—

(a)in Great Britain—

(i)electricity undertakings that carry out the function of supply to more than 250,000 final customers; or

(ii)electricity undertakings that carry out the function of supply, and generation via generators that when cumulated with the generators operated by affiliated undertakings would have a total capacity, in terms of input to a transmission system, greater than or equal to 2 gigawatts;

(b)in Northern Ireland—

(i)the holder of a supply licence under Article 10(1)(c) of the Electricity (Northern Ireland) Order 1992 F156 who supplies electricity to more than 8,000 consumers; and

(ii)the holder of a generation licence under Article 10(1)(a) of the Electricity (Northern Ireland) Order 1992 with a generating capacity equal to or greater than 350 megawatts.

(3) For the essential service of the single electricity market in Northern Ireland, the threshold requirement is the holder of a Single Electricity Market operator licence under Article 10(1)(d) of the Electricity (Northern Ireland) Order 1992 F157.

(4) For the essential service of electricity transmission, the threshold requirements are—

(a)in Great Britain—

(i)transmission system operators with a potential to disrupt delivery of electricity to more than 250,000 final customers;

(ii)holders of offshore transmission licences where the offshore transmission systems of that licence holder and its affiliated undertakings are directly connected to generators that have a total cumulative capacity, in terms of input to a transmission system, greater than or equal to 2 gigawatts; or

(iii)holders of interconnector licences where the electricity interconnector to which the licence relates has a capacity, in terms of input to a transmission system, greater than or equal to 1 gigawatt;

(b)in Northern Ireland, the holder of a transmission licence under Article 10(1)(b) of the Electricity (Northern Ireland) Order 1992 F158.

(5) For the essential service of electricity distribution, the threshold requirements are—

(a)in Great Britain, distribution system operators with the potential to disrupt delivery of electricity to more than 250,000 final customers;

(b)in Northern Ireland, the holder of a distribution licence under Article 10(1)(bb) of the Electricity (Northern Ireland) Order 1992 F159.

(6) Nuclear electricity generators and generators that are not connected to a transmission system are excluded from the threshold described in sub-paragraph (2)(a)(ii).

(7) Transmission systems for which an offshore transmission licence or interconnector licence applies are excluded from the threshold described in sub-paragraph (4)(a)(i).

(8) In this paragraph—

(a)affiliated undertaking” has the meaning given by Article 2(12) of Directive 2013/34/EU F160 of the European Parliament and of the Council on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC;

(b)distribution” has the meaning given by Article 2(5) of Directive 2009/72/EC of the European Parliament and of the Council concerning common rules for the internal market in electricity and repealing Directive 2003/54/EC F161, (“the Electricity Directive”);

(c)distribution system operator” has the meaning given by Article 2(6) of the Electricity Directive;

(d)electricity undertaking” has the meaning given by Article 2(35) of the Electricity Directive;

(e)final customer” has the meaning given by Article 2(9) of the Electricity Directive;

(f)generation” has the meaning given by Article 2(1) of the Electricity Directive and includes the generation of electricity from stored energy, and “generator” must be interpreted accordingly;

(g)interconnector licence” means a licence granted under section 6(1)(e) of the Electricity Act 1989 F162;

(h)“offshore transmission licence” and “offshore transmission” have the meaning given by section 6C(5) and (6) of the Electricity Act 1989 F163, respectively;

(i)stored energy” means energy that—

(aa)was converted from electricity, and

(bb)is stored for the purpose of its future reconversion into electricity;

(j)supply” has the meaning given by Article 2(19) of the Electricity Directive;

(k)transmission” has the meaning given by Article 2(3) of the Electricity Directive; and

(l)transmission system operator” has the meaning given by Article 2(4) of the Electricity Directive.

F156S.I. 1992/231 (N.I. 1). Article 10(1)(c) was substituted by regulation 6(1) of S.R. 2007 No. 321; there are other amendments to this instrument but none are relevant.

F157Article 10(1)(d) was inserted by article 4(4)(b) of S.I.2007/913 (N.I. 7).

F158Article 10(1)(b) was substituted by article 28(4) of S.I. 2003/419 (N.I. 6) and was amended by article 4(4)(a) of S.I. 2007/913 (N.I. 7).

F159Article 10(1)(bb) was inserted by regulation 19(a) of S.R. 2011 No. 155.

F160OJ No. L 182, 29.6.2013, p. 19.

F161OJ No. L 211, 14.08.2009, p. 55.

F1621989 c. 29. Section 6 of the Electricity Act 1989 was substituted by the Utilities Act 2000 (c. 30) and amended by the Energy Act 2004 (c. 20). There are other amendments not relevant to this instrument.

F163Section 6C of the Electricity Act 1989 (c. 29) was inserted by section 92 of the Energy Act 2004 (c. 20).

The oil subsectorU.K.

2.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the oil subsector.

(2) For the essential service of the conveyance of oil through relevant upstream petroleum pipelines, the threshold requirement, in the United Kingdom is the operator of a relevant upstream petroleum pipeline which has a throughput of more than 3,000,000 tonnes of oil equivalent per year excluding natural gas, if that operator does not fall within another threshold requirement in relation to this pipeline under this Schedule.

(3) For the essential service of oil transmission by pipeline, the threshold requirements are—

(a)in Great Britain, operators of any pipeline with throughput F164... of more than 500,000 tonnes of crude oil based fuel per year [F165not including transmission of crude oil]; and

(b)in Northern Ireland, operators of any pipeline with throughput F166... of more than 50,000 tonnes of crude oil based fuel per year.

(4) For the essential service of the operation of relevant oil processing facilities, the threshold requirement in the United Kingdom is in the case of—

(a)a relevant oil processing facility, [F167an operator of a facility with a throughput of more than 3,000,000 tonnes of oil equivalent per year,] or

(b)a relevant upstream petroleum pipeline which is connected to and operated from a relevant oil processing facility, [F168an operator of a pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year.]

F169...

(5) For the essential service of [F170crude oil based fuel] production, refining, [F171onshore] storage and transmission the threshold requirements are—

(a)in Great Britain, operators of any facility where that facility has a capacity greater than any of the following values—

(i)storage of 500,000 tonnes of crude oil based fuel;

(ii)production of 500,000 tonnes of crude oil based fuel per year; or

(iii)supply of 500,000 tonnes of crude oil based fuel per year;

(b)in Northern Ireland, the operator of a facility which has a storage capacity of greater than 50,000 tonnes of crude oil based fuel.

(6) For the essential service of the operation of petroleum production projects (other than projects which are primarily used for the storage of gas), the threshold requirement in the United Kingdom is, in the case of—

(i)a relevant offshore installation which is part of a petroleum production project [F172, an operator of an installation with a throughput of more than 3,000,000 tonnes of oil equivalent per year,] or

(ii)a relevant upstream petroleum pipeline which is connected to and operated from such an installation, [F173an operator of a pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year]

F174....

(7) In sub-paragraph (5), the following are included within the description of the essential service—

(a)storage of crude oil based fuel;

(b)production of crude oil based fuels through a range of refining or blending processes, but excluding processes for rendering the oil suitable for transportation; and

(c)supply of crude oil based fuels to retail sites, airports or other users within the United Kingdom.

(8) In this paragraph—

(a)carbon dioxide pipeline” has the meaning given by section 90(2) of the Energy Act 2011 F175;

(b)crude oil” means any liquid hydrocarbon mixture occurring naturally in the earth whether or not treated to render it suitable for transportation, and includes—

(i)crude oils from which distillate fractions have been removed, and

(ii)crude oils to which distillate fractions have been added;

(c)crude oil based fuel” means [F176substances derived from crude oil, not including crude oil itself;]

(d)foreign sector of the continental shelf” has the meaning given by section 90(1) of the Energy Act 2011 F177;

[F178(e)“gas processing facility” has the meaning given by section 12(6) of the Gas Act 1995;]

(f)gas processing operation” means any of the following operations—

(i)purifying, blending, odorising or compressing gas for the purpose of enabling it to be introduced into a pipeline system operated by a gas transporter or to be conveyed to an electricity generating station, a gas storage facility or any place outside the United Kingdom;

(ii)removing from gas for that purpose any of its constituent gases, or separating from gas for that purpose any oil or water;

(iii)determining the quantity or quality of gas which is or is to be so introduced, or so conveyed, whether generally or by, or on behalf of, a particular person;

(iv)separating, purifying, blending, odorising or compressing gas for the purpose of—

(aa)converting it into a form in which a purchaser is willing to accept delivery from a seller, or

(bb)enabling it to be loaded for conveyance to another place (whether inside or outside the United Kingdom); or

(v)loading gas—

(aa)at a facility which carries out operations of a kind mentioned in paragraph (iv), or

(bb)piped from such a facility

for the purpose of enabling the gas to be conveyed to another place (whether inside or outside the United Kingdom);

(g)gas transporter” has the meaning given by section 7(1) of the Gas Act 1986 F179;

(h)oil equivalent” means petroleum and, for the purposes of assessments of throughput, where petroleum is in a gaseous state 1,100 cubic meters of this petroleum at a temperature of 15 degrees Celsius and pressure of one atmosphere is counted as equivalent to one tonne;

(i)oil processing facility” means any facility which carries out oil processing operations;

(j)oil processing operations” means any of the following operations—

(i)initial blending and such other treatment of petroleum as may be required to produce stabilised crude oil to the point at which a seller could reasonably make a delivery to a purchaser of such oil;

(ii)receiving stabilised crude oil piped from an oil processing facility carrying out operations of a kind mentioned in sub-paragraph (i), or storing oil so received, prior to their conveyance to another place (whether inside or outside the United Kingdom);

(iii)loading stabilised crude oil piped from a facility carrying out operations of a kind mentioned in sub-paragraph (i) or (ii) for conveyance to another place (whether inside or outside the United Kingdom);

[F180(ja)“operator” means—

(i)in relation to a pipeline—

(aa)the person who is to have or (once any fluid or any mixture of fluids is conveyed) has control over the conveyance of any fluid or any mixture of fluids in the pipeline;

(bb)until that person is known, the person who is to commission or (where commissioning has started) commissions the design and construction of the pipeline; or

(cc)when a pipeline is no longer used or is not for the time being used, the person last having control over the conveyance of fluid or any mixture of fluids in it;

(ii)in relation to a production installation—

(aa)the person appointed by the licensee of the operator or by any other person to manage and control directly the execution of the main functions of a production installation; or

(bb)the licensee, where it is not clear to the designated competent authority that one person has been appointed to perform the functions described in paragraph (aa) or, in the opinion of that authority, the person appointed to perform the functions described in that paragraph is incapable of performing those functions satisfactorily;]

(k)petroleum” has the same meaning as in section 1 of the Petroleum Act 1998 F181, and includes petroleum that has undergone any processing;

(l)petroleum production project” means a project carried out by virtue of a licence granted under—

(i)section 3 of the Petroleum Act 1998 F182,

(ii)section 2 of the Petroleum (Production) Act 1934 F183, or

(iii)section 2 of the Petroleum (Production) Act (Northern Ireland) 1964 F184,

and includes such a project which is used for the storage of gas;

(m)piped gas” means gas which—

(i)originated from a petroleum production project (or an equivalent project in a foreign sector of the continental shelf), and

(ii)has been conveyed only by means of pipes;

(n)pipeline” means a pipe or system of pipes for the conveyance of anything;

[F185(na)“production installation” has the meaning given by regulation 2(1) of the Offshore Installations (Safety Case) Regulations 2005;]

(o)relevant offshore installation” means an offshore installation within the meaning of section 44 of the Petroleum Act 1998 F186 which carries on the activities mentioned in subsection (3)(a) or (c) of that section and is a relevant offshore installation only to the extent it is used to carry on those activities;

(p)terminal” includes—

(i)facilities for such initial blending and other treatment as may be required to produce stabilised crude oil to the point at which a seller could reasonably make a delivery to a purchaser of such oil;

(ii)oil processing facilities;

(iii)gas processing facilities; and

(iv)a facility for the reception of gas prior to its conveyance to a place outside the United Kingdom;

(q)upstream petroleum pipeline” means a pipeline or one of a network of pipelines which is—

(i)operated or constructed as part of a petroleum production project (or an equivalent project in a foreign sector of the continental shelf) and is not a carbon dioxide pipeline;

(ii)used to convey petroleum from the site of one or more such projects—

(aa)directly to premises, in order for that petroleum to be used at those premises for power generation or for an industrial process;

(bb)directly to a place outside the United Kingdom;

(cc)directly to a terminal; or

(dd)indirectly to a terminal by way of one or more other terminals, whether or not such intermediate terminals are of the same kind as the final terminal; or

(iii)used to convey gas directly from a terminal to a pipeline system operated by a gas transporter or to any premises.

(9) In sub-paragraph (8)(f), (l), (m), (p) and (q) “gas” means any substance which is or, if it were in a gaseous state, would be gas within the meaning of Part 1 of the Gas Act 1986 F187.

(10) In this paragraph an upstream petroleum pipeline, oil processing facility, or gas processing facility is “relevant” if and in so far as it is situated in—

(a)the United Kingdom;

(b)the territorial sea adjacent to the United Kingdom; or

(c)the sea [F188(including the seabed and subsoil)] in any area designated under section 1(7) of the Continental Shelf Act 1964 F189.

[F190(11) In this paragraph, “Great Britain” includes—

(a)Great Britain;

(b)the territorial sea adjacent to Great Britain; and

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964.]

F1752011 c. 16. There are no amendments relevant to this instrument.

F1772011 c. 16. There are no amendments relevant to this instrument.

F1791986 c. 44. Section 7(1) was substituted by section 76 of the Utilities Act 2000 (c. 27). There are other amendments not relevant to this instrument.

F1831934 c. 36. This Act was repealed by section 51 of and Schedule 5 to the Petroleum Act 1998 (c. 17), subject to the savings provisions set out in Schedule 3.

F186There are amendments to section 44 of the Petroleum Act 1998 (c. 17) not relevant to this instrument.

F1891964 c. 29. Section 1(7) of the Continental Shelf Act 1964 was amended by section 37 of, and Schedule 3 to, the Oil and Gas (Enterprise) Act 1982 (c. 23), and section 103 of the Energy Act 2011 (c. 16).

The gas subsectorU.K.

3.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the gas subsector.

(2) For the essential service of gas supply the threshold requirements are—

(a)in Great Britain, supply undertakings that supply gas to more than 250,000 final customers;

(b)in Northern Ireland, the holder of a supply licence under Article 8(1)(c) of the Gas (Northern Ireland) Order 1996 F191 who supplies gas to more than 2,000 customers.

(3) For the essential service of gas transmission the threshold requirements are—

(a)in Great Britain—

(i)transmission system operators with a potential to disrupt delivery to more than 250,000 final customers; or

(ii)holders of interconnector licences where the gas interconnector to which the licence relates has the technological capacity to input more than 20 million cubic metres of gas per day to a transmission system; and

(b)in Northern Ireland, the holder of a gas conveyance licence under Article 8(1)(a) of the Gas (Northern Ireland) Order 1996.

(4) For the essential service of gas distribution the threshold requirements are—

(a)in Great Britain, distribution system operators with a potential to disrupt delivery to more than 250,000 final customers; and

(b)in Northern Ireland the holder of a licence under Article 8(1)(a) of the Gas (Northern Ireland) Order 1996.

(5) For the essential service of the operation of gas storage facilities, the threshold requirements are—

(a)in Great Britain, storage system operators where the storage facility has the technological capacity to input more than 20 million cubic metres of gas per day to a transmission system; and

(b)in Northern Ireland the holder of a licence under Article 8(1)(b) of the Gas (Northern Ireland) Order 1996 F192.

(6) For the essential service of the operation of LNG facilities, the threshold requirements are—

(a)in Great Britain, LNG system operators where the LNG facility has the technological capacity to input more than 20 million cubic metres of gas per day to a transmission system; and

(b)in Northern Ireland the holder of a licence under Article 8(1)(d) of the Gas (Northern Ireland) Order 1996 F193.

(7) For the essential service of the operation of relevant gas processing facilities, the threshold requirement in the United Kingdom is in the case of—

[F194(a)an operator of a relevant gas processing facility, an operator of a facility with a throughput of more than 3,000,000 tonnes of oil equivalent per year; or

(b)a relevant upstream pipeline and associated infrastructure that is connected to and operated from such a relevant gas processing facility, and critical to the continued operation of that facility, an operator of a pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year],

an operator of a facility or pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year.

(8) For the essential service of the operation of petroleum production projects (other than projects which are primarily used for the storage of gas), the threshold requirement in the United Kingdom is—

(a)in the case of—

(i)a relevant offshore installation which is part of a petroleum production project (other than a project which is primarily used for the storage of gas), or

(ii)a relevant upstream petroleum pipeline which is connected to and operated from such an installation,

an operator of an installation or pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year.

(9) In sub-paragraph (3)(a)(i) the threshold requirement does not include transmission systems for which an interconnector licence applies.

(10) In this paragraph—

(a)carbon dioxide pipeline” has the meaning given by section 90(2) of the Energy Act 2011 F195;

(b)crude oil” means any liquid hydrocarbon mixture occurring naturally in the earth whether or not treated to render it suitable for transportation, and includes—

(i)crude oils from which distillate fractions have been removed, and

(ii)crude oils to which distillate fractions have been added;

(c)distribution” has the meaning given by Article 2(5) of Directive 2009/73/EC of the European Parliament and of the Council concerning common rules for the internal market in natural gas and repealing Directive 2003/55/EC F196, “the Gas Directive”;

(d)distribution system operator” has the meaning given by Article 2(6) of the Gas Directive;

(e)final customer” has the meaning given by Article 2(27) of the Gas Directive;

(f)foreign sector of the continental shelf” has the meaning given by section 90(1) of the Energy Act 2011 F197;

(g)gas processing facility” means any facility which—

(i)carries out gas processing operations in relation to piped gas;

(ii)is operated otherwise than by a gas transporter; and

(iii)is not an LNG import or export facility (within the meaning of section 12 of the Gas Act 1995 F198);

(h)gas processing operation” means any of the following operations—

(i)purifying, blending, odorising or compressing gas for the purpose of enabling it to be introduced into a pipeline system operated by a gas transporter or to be conveyed to an electricity generating station, a gas storage facility or any place outside the United Kingdom;

(ii)removing from gas for that purpose any of its constituent gases, or separating from gas for that purpose any oil or water;

(iii)determining the quantity or quality of gas which is or is to be so introduced, or so conveyed, whether generally or by, or on behalf of, a particular person;

(iv)separating, purifying, blending, odorising or compressing gas for the purpose of—

(aa)converting it into a form in which a purchaser is willing to accept delivery from a seller, or

(bb)enabling it to be loaded for conveyance to another place (whether inside or outside the United Kingdom); or

(v)loading gas—

(aa)at a facility which carries out operations of a kind mentioned in paragraph (iv), or

(bb)piped from such a facility,

for the purpose of enabling the gas to be conveyed to another place inside or outside the United Kingdom;

(i)gas transporter” has the meaning given by section 7(1) of the Gas Act 1986 F199;

(j)interconnector licence” means a licence granted under section 7ZA of the Gas Act 1986 F200;

(k)LNG facility” has the meaning given by Article 2(11) of the Gas Directive;

(l)LNG system operator” has the meaning given by Article 2(12) of the Gas Directive;

(m)oil equivalent” means petroleum and, for the purposes of assessments of throughput, where petroleum is in a gaseous state 1,100 cubic meters of this petroleum at a temperature of 15 degrees Celsius and pressure of one atmosphere is counted as equivalent to one tonne;

(n)oil processing facility” means any facility which carries out oil processing operations;

(o)oil processing operations” means any of the following operations—

(i)initial blending and such other treatment of petroleum as may be required to produce stabilised crude oil to the point at which a seller could reasonably make a delivery to a purchaser of such oil;

(ii)receiving stabilised crude oil piped from an oil processing facility carrying out operations of a kind mentioned in sub-paragraph (i), or storing oil so received, prior to their conveyance to another place (whether inside or outside the United Kingdom);

(iii)loading stabilised crude oil piped from a facility carrying out operations of a kind mentioned in sub-paragraph (i) or (ii) for conveyance to another place (whether inside or outside the United Kingdom);

[F201(oa)“operator” means—

(i)in relation to a pipeline—

(aa)the person who is to have or (once any fluid or any mixture of fluids is conveyed) has control over the conveyance of any fluid or any mixture of fluids in the pipeline;

(bb)until that person is known, the person who is to commission or (where commissioning has started) commissions the design and construction of the pipeline; or

(cc)when a pipeline is no longer used or is not for the time being used, the person last having control over the conveyance of fluid or any mixture of fluids in it;

(ii)in relation to a production installation—

(aa)the person appointed by the licensee of the operator or by any other person to manage and control directly the execution of the main functions of a production installation; or

(bb)the licensee, where it is not clear to the designated competent authority that one person has been appointed to perform the functions described in paragraph (aa) or, in the opinion of that authority, the person appointed to perform the functions described in that paragraph is incapable of performing those functions satisfactorily;]

(p)petroleum” has the same meaning as in section 1 of the Petroleum Act 1998 F202, and includes petroleum that has undergone any processing;

(q)petroleum production project” means a project carried out by virtue of a licence granted under—

(i)section 3 of the Petroleum Act 1998 F203;

(ii)section 2 of the Petroleum (Production) Act 1934 F204; or

(iii)section 2 of the Petroleum (Production) Act (Northern Ireland) 1964 F205;

and includes such a project which is used for the storage of gas;

(r)piped gas” means gas which—

(i)originated from a petroleum production project (or an equivalent project in a foreign sector of the continental shelf); and

(ii)has been conveyed only by means of pipes;

(s)pipeline” means a pipe or system of pipes for the conveyance of anything;

[F206(sa)“production installation” has the meaning given by regulation 2(1) of the Offshore Installations (Safety Case) Regulations 2005;]

(t)relevant offshore installation” means an offshore installation within the meaning of section 44 of the Petroleum Act 1998 F207 which carries on the activities mentioned in subsection (3)(a) or (c) of that section and is a relevant offshore installation only to the extent it is used to carry on those activities;

(u)storage facility” has the meaning given by Article 2(9) of the Gas Directive;

(v)storage system operator” has the meaning given by Article 2(10) of the Gas Directive;

(w)supply” has the meaning given by Article 2(7) of the Gas Directive;

(x)supply undertaking” has the meaning given by Article 2(8) of the Gas Directive;

(y)terminal” includes—

(i)facilities for such initial blending and other treatment as may be required to produce stabilised crude oil to the point at which a seller could reasonably make a delivery to a purchaser of such oil;

(ii)oil processing facilities;

(iii)gas processing facilities; and

(iv)a facility for the reception of gas prior to its conveyance to a place outside the United Kingdom;

(z)transmission” has the meaning given by Article 2(3) of the Gas Directive; and

(aa)transmission system operator” has the meaning given by Article 2(4) of the Gas Directive;

(bb)upstream petroleum pipeline” means a pipeline or one of a network of pipelines which is—

(i)operated or constructed as part of a petroleum production project (or an equivalent project in a foreign sector of the continental shelf) and is not a carbon dioxide pipeline;

(ii)used to convey petroleum from the site of one or more such projects—

(aa)directly to premises, in order for that petroleum to be used at those premises for power generation or for an industrial process;

(bb)directly to a place outside the United Kingdom;

(cc)directly to a terminal; or

(dd)indirectly to a terminal by way of one or more other terminals, whether or not such intermediate terminals are of the same kind as the final terminal; or

(iii)used to convey gas directly from a terminal to a pipeline system operated by a gas transporter or to any premises.

(11) In—

(a)sub-paragraphs 2(a), 3(a), 4(a), 5(a) and 6(a), or in any provision of the Gas Directive to which these sub-paragraphs cross-refer, any reference to “gas” or “natural gas” means any substance in a gaseous state which consists wholly or mainly of—

(i)methane or hydrogen;

(ii)a mixture of two or more of those gases; or

(iii)a combustible mixture of one or more of those gases and air;

(b)sub-paragraphs 10(h), (q), (r), (y) and (bb), “gas” means any substance which is or, if it were in a gaseous state, would be gas within the meaning of Part 1 of the Gas Act 1986 F208.

(12) In this paragraph an upstream petroleum pipeline, oil processing facility, or gas processing facility is “relevant” if and in so far as it is situated in—

(a)the United Kingdom;

(b)the territorial sea adjacent to the United Kingdom; or

(c)the sea [F209(including the seabed and subsoil)] in any area designated under section 1(7) of the Continental Shelf Act 1964 F210.

[F211(13) In this paragraph, “Great Britain” includes—

(a)Great Britain;

(b)the territorial sea adjacent to Great Britain; and

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964.]

F191S.I. 1996/275 (N.I. 2). Article 8(1)(c) was amended by regulation 17(1) of S.R. 2013 No. 92. There are other amendments to this instrument but none are relevant.

F192There are no relevant amendments.

F193Article 8(1)(d) was added by regulation 17(1) of S.R. 2013 No. 92.

F1952011 c. 16. There are no amendments relevant to this instrument.

F196OJ No. L 211, 14.8.2009, p. 94.

F1972011 c. 16. There are no amendments relevant to this instrument.

F1981995 c. 45. Section 12 of the Gas Act 1995 was amended by the Energy Act 2011 (c. 16) and the Utilities Act 2000 (c. 27). There are other amendments not relevant to this instrument.

F1991986 c. 44. Section 7(1) was substituted by section 76 of the Utilities Act 2000 (c. 27). There are other amendments not relevant to this instrument.

F2001986 c. 44. Section 7ZA of the Gas Act 1986 was inserted by section 149 of the Energy Act 2004 (c. 20).

F2041934 c. 36. This Act was repealed by section 51 of and Schedule 5 to the Petroleum Act 1998 (c. 17), subject to the savings provisions set out in Schedule 3.

F207There are amendments to section 44 of the Petroleum Act (c. 17) not relevant to this instrument.

F2101964 c. 29. Section 1(7) of the Continental Shelf Act 1964 was amended by section 37 of, and Schedule 3 to, the Oil and Gas (Enterprise) Act 1982 (c. 23), and section 103 of the Energy Act 2011 (c. 16).

The air transport subsectorU.K.

4.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the air transport subsector.

(2) For the essential service of the provision of services by the owner or manager of an aerodrome, the threshold requirement in the United Kingdom is an owner or manager of an aerodrome with annual terminal passenger numbers greater than 10 million.

(3) For the essential service of the provision of air traffic services (as defined in the Transport Act 2000), the threshold requirement in the United Kingdom is—

(a)an entity which is granted a licence by the Secretary of State or the Civil Aviation Authority to provide en-route air traffic services in the United Kingdom; or

(b)an air-traffic service provider at any airport which has annual terminal passenger numbers greater than 10 million.

(4) For the essential service of the provision of services by air carriers, the threshold requirement in the United Kingdom is an air carrier which has—

(a)more than thirty percent of the annual terminal passengers at any United Kingdom airport which has annual terminal passenger numbers greater than 10 million; and

(b)more than 10 million total annual terminal passengers across all United Kingdom airports.

(5) In this paragraph—

(a)an aerodrome” has the same meaning as in the Civil Aviation Act 1982 F212;

(b)air carrier” has the same meaning as in Article 3(4) of Regulation (EC) No 300/2008 of the European Parliament and of the Council on common rules in the field of civil aviation security and repealing Regulation EC No 2320/2202 F213.

F213OJ No. L 97, 9.4.2008, p72.

The water transport subsectorU.K.

5.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the water transport subsector.

(2) For the essential service of shipping in the United Kingdom, the threshold requirement is—

(a)a shipping company which handles—

(i)over 5 million tonnes of total annual freight at United Kingdom ports; and

(ii)over thirty percent of the freight at any individual United Kingdom port which fulfils at least one of the following criteria—

(aa)it handles more than fifteen percent of the total roll-on roll-off traffic in the United Kingdom;

(bb)it handles more than fifteen percent of the total lift-on lift-off traffic in the United Kingdom;

(cc)it handles more than ten percent of the total liquid bulk traffic in the United Kingdom; or

(dd)it handles more than twenty percent of the total biomass fuel traffic in the United Kingdom; or

(b)a shipping company with over thirty percent of the annual passenger numbers at any individual United Kingdom port which has annual passenger numbers greater than 10 million.

(3) For the essential service of the provision of services by a harbour authority for a port in the United Kingdom, the threshold requirement is—

(a)a harbour authority for a port which has annual passenger numbers greater than 10 million; or

(b)a harbour authority for a port which fulfils at least one of the following criteria—

(i)it handles more than fifteen percent of the total roll-on roll-off traffic in the United Kingdom;

(ii)it handles more than fifteen percent of the total lift-on lift-off traffic in the United Kingdom;

(iii)it handles more than ten percent of the total liquid bulk traffic in the United Kingdom; or

(iv)it handles more than twenty percent of the total biomass fuel traffic in the United Kingdom.

(4) For the essential service of the provision of services by an operator of a port facility in the United Kingdom, the threshold requirement is—

(a)an operator of a port facility which handles passengers at a port which has annual passenger numbers greater than 10 million; or

(b)an operator of a port facility at a port which fulfils at least one of the following criteria—

(i)it handles more than fifteen percent of the total roll-on roll-off traffic in the United Kingdom;

(ii)it handles more than fifteen percent of the total lift-on lift-off traffic in the United Kingdom;

(iii)it handles more than ten percent of the total liquid bulk traffic in the United Kingdom; or

(iv)it handles more than twenty percent of the total biomass fuel traffic in the United Kingdom;

and where that port facility operator handles the same type of freight for which the port fulfils one of the criteria mentioned in sub-paragraphs (i)-(iv).

(5) For the essential service of vessel traffic services in the United Kingdom, the threshold requirement is—

(a)an operator of vessel traffic services at a port which has annual passenger numbers greater than 10 million; or

(b)an operator of vessel traffic services at a port which fulfils at least one of the following criteria—

(i)it handles more than fifteen percent of the total roll-on roll-off traffic in the United Kingdom;

(ii)it handles more than fifteen percent of the total lift-on lift-off traffic in the United Kingdom;

(iii)it handles more than ten percent of the total liquid bulk traffic in the United Kingdom; or

(iv)it handles more than twenty percent of the total biomass fuel traffic in the United Kingdom.

(6) In this paragraph—

(a)“harbour authority” has the same meaning [F214as] in section 313(1) of the Merchant Shipping Act 1995 F215;

(b)port facility” has the same meaning as in regulation 2 of the Port Security Regulations 2009 F216;

(c)vessel traffic services” has the same meaning as in regulation 2(1) of the Merchant Shipping (Vessel Traffic Monitoring and Reporting Requirements) Regulations 2004 F217.

F2151995 c. 21. The definition for “harbour authority” was substituted by section 29(1) of, and paragraph 19(2)(a) of Schedule 6 to, the Merchant Shipping and Maritime Security Act 1997 (c. 28). There are other amendments not relevant to this instrument.

F217S.I. 2004/2110 as amended by S.I. 2011/2616. There are other amendments not relevant to this instrument.

The rail transport subsectorU.K.

6.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the rail transport subsector.

(2) For the essential service of rail services the threshold requirements are—

(a)in Great Britain, any operator of a mainline railway asset but excluding operators of—

(i)railway assets solely for the provision of international rail services;

(ii)railway assets for metro, tram and other light rail, including underground, systems;

(iii)heritage, museum or tourist railways, whether or not they are operating solely on their own network; and

(iv)networks which are privately owned and exist solely for use by the infrastructure owner for its own freight operations or other passenger or freight services for third parties and operators of passenger or freight services on those networks (including high speed rail services);

(b)in Northern Ireland, any railway undertaking in Northern Ireland.

(3) For the essential service of high speed rail services the threshold requirement in the United Kingdom is an operator of a railway asset for high speed rail services.

(4) For the essential service of metros, trams and other light rail services (including underground services), the threshold requirement in the United Kingdom is an operator with more than 50 million annual passenger journeys.

(5) For the essential service of international rail services the threshold requirement in the United Kingdom is an operator of a Channel Tunnel train or the infrastructure manager of the Channel Fixed Link.

(6) In this paragraph—

(a)operator” and “railway asset” have the same meaning as in section 6 of the Railways Act 1993 F218;

(b)international rail service” means a rail service where all carriages on the train cross a border of the United Kingdom and that of a Member State, and where the principal purpose of the service is to carry passengers or goods between stations located in the United Kingdom and a station in at least one Member State;

(c)mainline railway” has the same meaning as in the Railways and Other Guided Transport Systems (Safety) Regulations 2006 F219;

(d)railway undertaking” has the same meaning as in section 55 of the Transport Act (Northern Ireland) 1967 F220 but excludes heritage railways operating solely on their own network; and

(e)Channel Tunnel train” has the same meaning as in article 2(1) of the Channel Tunnel (Security) Order 1994 F221 and “Channel Fixed Link” has the same meaning as in section 1 of the Channel Tunnel Act 1987 F222.

F2181993 c. 43. There are amendments not relevant to this instrument.

The road transport subsectorU.K.

7.—(1) For the essential service of road transport services, the threshold requirement in the United Kingdom is a road authority responsible for roads in the United Kingdom that have vehicles travelling more than 50 billion miles in total on them.

(2) For the essential service of road services provided by Intelligent Transport Systems, the threshold requirement in the United Kingdom is a road authority that provides Intelligent Transport Systems services which covers roads in the United Kingdom that have vehicles travelling more than 50 billion miles in total on them, per year.

(3) (a) “road authority” has the same meaning [F223as] in Article 2(12) of Commission Delegated Regulation (EU) 2015/962 supplementing Directive 2010/40/EU of the European Parliament and the Council with regard to the provision of EU-wide real-time traffic information services F224; and

(b)Intelligent Transport Systems” has the same meaning as in Article 4(1) of Directive 2010/40/EU of the European Parliament and of the Council on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport F225.

F224OJ No. L 57, 23.6.2015, p. 21.

F225OJ No. L 207, 6.8.2010, p. 1.

The healthcare subsectorU.K.

8.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the healthcare settings sector.

(2) For the essential service of healthcare services the threshold requirements are—

(a)in England, an NHS Trust as defined in section 25 of the National Health Service Act 2006 F226 or a Foundation trust as defined in section 30 of the National Health Service Act 2006 F227;

(b)in Wales, a Local Health Board or NHS Trust as defined in the National Health Service (Wales) Act 2006 F228;

(c)in Scotland—

(i)the Common Services Agency for the Scottish Health Service established under section 10 of the National Health Service (Scotland) Act 1978 F229;

(ii)a Health Board, constituted under section 2 of the National Health Service (Scotland) Act 1978 F230; [F231and

(iii)a Special Health Board, constituted under section 2 of the National Health Service (Scotland) Act 1978;]

(d)in Northern Ireland, the Health and Social Care Trusts within the meaning of “HSC Trust” in section 31 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 F232.

F2291978 c. 29. Section 10 was amended by sections 25 and 26 of the Health Services Act 1980 (c. 53) and section 65 of the Health Act 1999 (c. 8).

F230There are no amendments relevant to this instrument.

F231Sch. 2 para. 8(2)(c)(iii) and word substituted for Sch. 2 para. 8(2)(c)(iii)-(vi) (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 20(c) (with reg. 21)

F2322009 c. 1 (N.I.). There are amendments not relevant to this instrument.

The drinking water supply and distribution subsectorU.K.

9.  The threshold requirement which applies to the essential service of the supply of potable water in the United Kingdom is the supply of water to 200,000 or more people.

The digital infrastructure subsectorU.K.

10.—(1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the digital infrastructure subsector.

[F233(2) For the essential service of a TLD Name Registry, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is a TLD Name Registry which services 14 billion or more queries from any devices located within the United Kingdom in any consecutive 168-hour period for domains registered within the Internet Corporation for Assigned Names and Numbers (“ICANN”).

(3) For the essential service of a DNS resolver service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is a DNS resolver service which services 500,000 or more different Internet Protocol addresses used by persons in the United Kingdom in any consecutive 168-hour period.

(3A) For the essential service of a DNS authoritative hosting service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is a DNS authoritative hosting service which services 100,000 or more domains registered to persons with an address in the United Kingdom.

(4) For the essential service of an IXP provided by an IXP operator, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is an IXP operator which has 30% or more market share amongst IXP operators in the United Kingdom, in terms of interconnected autonomous systems.]

(5) In this paragraph—

(a)DNS” is a reference to “[F234Domain Name System]” which means a hierarchical distributed naming system [F234which processes and responds to queries for DNS resolution];

(b)DNS service provider” is a reference to “[F235Domain Name System] service provider” which means an entity which provides DNS services [F235accessible via] the internet;

(c)IXP” is a reference to “internet exchange point” which means a network facility which—

(i)enables the interconnection of more than two independent autonomous systems, primarily for the purpose of facilitating the exchange of internet traffic;

(ii)provides interconnection only for autonomous systems; and

(iii)does not require the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system nor does it alter or otherwise interfere with such traffic; F236...

[F237(ca)“IXP Operator” means a person who provides an IXP to another person and, where one or more persons are employed or engaged to provide an IXP under the direction or control of another person, it means only that other person;]

(d)TLD Name Registry” is a reference to “top-level domain name registry” which means an entity which administers and operates the registration of internet domain names under a specific top-level domain.

Explanatory Note

(This note is not part of the Regulations)

These Regulations implement Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ No L194, 19.7.2016, p1).

Part 2 of these Regulations provides a national framework for the security of network and information systems in the United Kingdom (“UK”). Under regulation 2, a Minister of the Crown must designate and publish a “national strategy” covering the sectors specified in column 1 of the table in Schedule 1 (“the relevant sectors”) and digital services.

Regulation 3(1) designates national competent authorities, specified in column 3 of the table in Schedule 1, for the subsectors specified in column 2 of that table. Regulation 3(2) designates the Information Commissioner as the national competent authority for relevant digital service providers (“RDSPs”). The national competent authorities designated under regulation 3(1) and (2) (referred to as “NIS enforcement authorities”) are required to carry out the duties mentioned in regulation 3(3), (4) and (6).

Regulation 4 designates the ‘single point of contact’ (“SPOC”) for the UK and regulation 5 designates the UK's computer security incident response team for the relevant sectors and RDSPs.

Part 3 of these Regulations makes provision regarding the designation of operators of essential services and the duties which apply to them.

Under regulation 8, a person is identified as an operator of an essential service (an “OES”) by virtue of either falling within regulation 8(1) or (3). A person is deemed to be an OES under regulation 8(1) if they provide an essential service of kind specified in paragraphs 1 to 9 of Schedule 2 which also satisfies the threshold requirements specified for that kind of essential service. A person may be designated by a competent authority as an OES if they meet the conditions mentioned in regulation 8(3)(a) to (c). The deemed designation of an OES under regulation 8(1), or designation of an OES under regulation 8(3), may be revoked by a competent authority under regulation 9. An OES must fulfil the security duties set out in regulation 10 and the duty to notify incidents set out in regulation 11.

Part 4 of these Regulations makes provision regarding the duties which apply to RDSPs and the Information Commissioner. This includes a duty on all RDSPs to register with the Information Commissioner.

Part 5 of these Regulations makes provision for powers of enforcement and penalties which apply to contraventions of the duties set out in these Regulations. Regulation 15 enables a competent authority to serve an information notice on an OES or any person to obtain information that it reasonably requires for specified purposes. Regulation 19 makes provision for the independent review of a decision to designate an OES or a decision to serve a penalty notice.

Part 6 of these Regulations makes provision about miscellaneous matters such as fees, proceeds of penalties, general considerations that apply to enforcement actions and service of documents.

Regulation 25 sets out a process for the Secretary of State to review the regulatory provision contained within these Regulations and publish a report setting out the conclusions of that review. The first such report must be published on or before 9th May 2020 and subsequent reviews must be carried out biennially after that date.

An impact assessment has been produced by the Department for Digital, Culture, Media and Sport and is published alongside the instrument at www.legislation.gov.uk.

An Explanatory Memorandum and a Transposition Note are published alongside the instrument at www.legislation.gov.uk.

The Directive referred to above is published at http://eur-lex.europa.eu.

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Memorandum

Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Impact Assessments

Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:

  • Why the government is proposing to intervene;
  • The main options the government is considering, and which one is preferred;
  • How and to what extent new policies may impact on them; and,
  • The estimated costs and benefits of proposed measures.
Close

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as made version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources