The Network and Information Systems Regulations 2018

PART 5U.K.Enforcement and penalties

Information noticesU.K.

15.—(1) In order to assess whether a person should be an OES, a designated competent authority may serve an information notice [F1in writing] upon any person requiring that person to provide it with [F2all such information as] it reasonably requires to establish whether—

(a)a threshold requirement described in F3... Schedule 2 is met; or

(b)the conditions mentioned in regulation 8(3) are met.

(2) A designated competent authority may serve an information notice [F4in writing] upon an OES requiring [F5the OES] to provide it with [F6all such information as] it reasonably requires [F7for one or more of the following purposes]—

[F8(a)to assess the security of the OES’s network and information systems;

(b)to establish whether there have been any events that the authority has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

(c)to identify any failure of the OES to comply with any duty set out in these Regulations;

(d)to assess the implementation of the OES’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.]

(3) The Information Commissioner may serve upon a RDSP an information notice [F9in writing] requiring that RDSP to provide the Information Commissioner with [F10all such information as] the Information Commissioner reasonably requires [F11for one or more of the following purposes]—

[F12(a)to assess the security of the RDSP’s network and information systems;

(b)to establish whether there have been any events that the Commissioner has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

(c)to identify any failure of the RDSP to comply with any duty set out in these Regulations;

(d)to assess the implementation of the RDSP’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.]

F13(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5) An information notice must—

(a)describe the information that is required by the designated competent authority or the Information Commissioner;

(b)provide the reasons for requesting such information;

(c)specify the form and manner in which the requested information is to be provided; and

(d)specify the time period within which the information must be provided.

[F14(5A) A person upon whom an information notice has been served under this regulation must comply with the requirements of the notice.]

(6) In a case falling within paragraph (1) the information notice may—

(a)be served by publishing it in such manner as the designated competent authority considers appropriate in order to bring it to the attention of any persons who are described in the notice as the persons from whom the information is required; and

(b)take the form of a general request for a certain category of persons to provide the information that is specified in the notice.

(7) A competent authority or the Information Commissioner may withdraw an information notice by written notice to the person on whom it was served.

(8) An information notice under paragraph (1) may not be served upon the SPOC or CSIRT.

Power of inspectionU.K.

16.—(1) [F15The designated competent authority for an OES may—]

(a)conduct [F16all or any part of] an inspection;

(b)appoint a person to conduct [F17all or any part of] an inspection on its behalf; F18...

(c)direct the OES to appoint a person who is approved by that authority to conduct [F19all or any part of] an inspection on its behalf,

F20....

(2) The Information Commissioner may—

(a)conduct [F21all or any part of] an inspection;

(b)appoint a person to conduct [F22all or any part of] an inspection on its behalf; F23...

(c)direct that a RDSP appoint a person who is approved by the Information Commissioner to conduct [F24all or any part of] an inspection on its behalf,

F25....

(3) For the purposes of carrying out the inspection under paragraph (1) or (2), the OES or RDSP (as the case may be) must—

(a)pay the reasonable costs of the inspection [F26if so required by the relevant competent authority or the Information Commissioner];

(b)co-operate with the [F27inspector];

(c)provide the inspector with F28... access to their premises [F29in accordance with paragraph (5)(a)];

[F30(d)allow the inspector to examine, print, copy or remove any document or information, and examine or remove any material or equipment, in accordance with paragraph (5)(d);]

(e)allow the inspector access to any person from whom the inspector seeks relevant information for the purposes of the inspection;

[F31(f)not intentionally obstruct an inspector performing their functions under these Regulations; and

(g)comply with any request made by, or requirement of, an inspector performing their functions under these Regulations.]

(4) The [F32relevant] competent authority or Information Commissioner may appoint a person to [F33conduct all or any part of] an inspection under paragraph (1)(b) or (2)(b) on its behalf on such terms and in such a manner as it considers appropriate.

[F34(5) An inspector may—

(a)at any reasonable time enter the premises of an OES or RDSP (except any premises used wholly or mainly as a private dwelling) if the inspector has reasonable grounds to believe that entry to those premises may be necessary or helpful for the purpose of the inspection;

(b)require an OES or RDSP to leave undisturbed and not to dispose of, render inaccessible or alter in any way any material, document, information, in whatever form and wherever it is held (including where it is held remotely), or equipment which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

(c)require an OES or RDSP to produce and provide the inspector with access, for the purposes of the inspection, to any such material, document, information or equipment which is, or which the inspector considers to be, relevant to the inspection, either immediately or within such period as the inspector may specify;

(d)examine, print, copy or remove any document or information, and examine or remove any material or equipment (including for the purposes of printing or copying any document or information) which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

(e)take a statement or statements from any person;

(f)conduct, or direct the OES or RDSP to conduct, tests;

(g)take any other action that the inspector considers appropriate and reasonably required for the purposes of the inspection.

(6) The inspector must—

(a)produce proof of the inspector’s identity if requested by any person present at the premises; and

(b)take appropriate and proportionate measures to ensure that any material, document, information or equipment removed in accordance with paragraph (5)(d) is kept secure from unauthorised access, interference and physical damage.

(7) Before exercising any power under paragraph (5)(b) to (d) or (g), the inspector—

(a)must take such measures as appear to the inspector appropriate and proportionate to ensure that the ability of the OES or RDSP, as the case may be, to comply with any duty set out in these Regulations will not be affected; and

(b)may consult such persons as appear to the inspector appropriate for the purpose of ascertaining the risks, if any, there may be in doing anything which the inspector proposes to do under that power.

(8) Where under paragraph (5)(d) an inspector removes any document, material or equipment, the inspector must provide, to the extent practicable, a notice giving—

(a)sufficient particulars of that document, material or equipment for it to be identifiable; and

(b)details of any procedures in relation to the handling or return of the document, material or equipment.

(9) In this regulation—

(a)a reference to a “test” is a reference to any process which is—

(i)employed to verify assertions about the security of a network or information system; and

(ii)based on interacting with that system, including components of that system,

and includes the exercising of any relevant security or resilience management process;

(b)“inspection” means any activity carried out (including any steps mentioned in paragraph (5)) for the purpose of—

(i)verifying compliance with the requirements of these Regulations; or

(ii)assessing or gathering evidence of potential or alleged failures to comply with the requirements of these Regulations,

including any necessary follow-up activity for either purpose;

(c)“inspector” means any person conducting all or any part of an inspection in accordance with paragraph (1) or (2).]

Enforcement [F35notices] for breach of dutiesU.K.

17.—(1) [F36Subject to paragraph (2A),] the designated competent authority for an OES may serve an enforcement notice upon that OES if the F37... authority has reasonable grounds to believe that the OES has failed to—

[F38(za)notify it under regulation 8(2);

(zb)comply with the requirements stipulated in regulation 8A;]

(a)fulfil the security duties under regulation 10(1) and (2);

(b)notify a NIS incident under regulation 11(1);

(c)comply with the notification requirements stipulated in regulation 11(3);

(d)notify an incident as required by regulation 12(9);

(e)comply with an information notice issued under regulation 15; or

(f)comply with—

(i)a direction given under regulation 16(1)(c), or

(ii)the requirements stipulated in regulation 16(3).

(2) [F39Subject to paragraph (2A),] the Information Commissioner may serve an enforcement notice upon a RDSP if the Commissioner has reasonable grounds to believe that the RDSP has failed to—

(a)fulfil its duties under regulation 12(1) or (2);

(b)notify an incident under regulation 12(3);

(c)comply with the notification requirements stipulated in regulation 12(5);

(d)comply with a direction made by the Information Commissioner under regulation 12(12);

[F40(da)comply with the requirements stipulated in regulation 14A;]

(e)comply with an information notice issued under regulation 15; or

(f)comply with—

(i)a direction given under regulation 16(2)(c), or

(ii)the requirements stipulated in regulation 16(3).

[F41(2A) Before serving an enforcement notice under paragraph (1) or (2), the relevant competent authority or the Information Commissioner must inform the OES or RDSP, in such form and manner as it considers appropriate having regard to the facts and circumstances of the case, of—

(a)the alleged failure; and

(b)how and by when representations may be made in relation to the alleged failure and any related matters.

(2B) When the relevant competent authority or the Information Commissioner informs the OES or RDSP in accordance with paragraph (2A), it may also provide notice of its intention to serve an enforcement notice.

(2C) The relevant competent authority or the Information Commissioner may serve an enforcement notice on the OES or RDSP within a reasonable time, irrespective of whether it has provided any notice in accordance with paragraph (2B), having regard to the facts and circumstances of the case, after it has informed the OES or RDSP in accordance with paragraph (2A).

(2D) The relevant competent authority or the Information Commissioner must have regard to any representations made under paragraph (2A)(b).]

(3) An enforcement notice that is served under paragraph (1) or (2) must be in writing and must specify the following—

(a)the reasons for serving the notice;

(b)the alleged failure which is the subject of the notice; [F42and]

(c)what steps, if any, must be taken to rectify the alleged failure and the time period during which such steps must be taken; F43...

F43(d). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F44(3A) An OES or RDSP upon whom an enforcement notice has been served under paragraph (1) or (2) must comply with the requirements, if any, of the notice regardless of whether the OES or RDSP has paid any penalty imposed on it under regulation 18.]

(4) If the relevant competent authority or Information Commissioner is satisfied that no further action is required, having considered—

(a)[F45any] representations submitted in accordance with paragraph [F46(2A)]; or

(b)any steps taken to rectify the alleged failure;

it must inform the OES or the RDSP, as the case may be, in writing, as soon as reasonably practicable.

(5) The OES or RDSP may request reasons for a decision to take no further action under paragraph (4) within 28 days of being informed of that decision.

(6) Upon receipt of a request under paragraph (5), the relevant competent authority or Information Commissioner must provide written reasons for a decision under paragraph (4) within a reasonable time and in any event no later than 28 days.

PenaltiesU.K.

18.—[F47(1) The designated competent authority for an OES may serve a notice of intention to impose a penalty on the OES if it has reasonable grounds to believe that the OES has failed to comply with a duty referred to in regulation 17(1) or the duty set out in regulation 17(3A) and considers that a penalty is warranted having regard to the facts and circumstances of the case.

(2) The Information Commissioner may serve a notice of intention to impose a penalty on a RDSP if it has reasonable grounds to believe that the RDSP has failed to comply with a duty referred to in regulation 17(2) or the duty set out in regulation (3A) and considers that a penalty is warranted having regard to the facts and circumstances of the case.]

(3) A [F48notice of intention to impose a penalty] must be in writing and must specify the following—

(a)the reasons for imposing a penalty;

(b)the sum that is [F49intended] to be imposed as a penalty and how it is to be paid;

(c)the date on which the notice [F50of intention to impose a penalty] is given;

[F51(d)the period within which a penalty will be required to be paid if a penalty notice is served;

(e)that the payment of a penalty under a penalty notice (if any) is without prejudice to the requirements of any enforcement notice (if any); and

(f)how and when representations may be made about the content of the notice of intention to impose a penalty and any related matters.]

[F52(3A) The relevant competent authority may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the OES with a final penalty decision if the authority is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

(3B) The Information Commissioner may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the RDSP with a final penalty decision if the Commissioner is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

(3C) The relevant competent authority or the Information Commissioner may serve a notice of intention to impose a penalty or a penalty notice irrespective of whether it has served or is contemporaneously serving an enforcement notice on the OES or RDSP under regulation 17(1) or (2).

(3D) A penalty notice must—

(a)be given in writing to the OES or RDSP;

(b)include reasons for the final penalty decision;

(c)require the OES or RDSP to pay—

(i)the penalty specified in the notice of intention to impose a penalty; or

(ii)such penalty as the relevant competent authority or the Information Commissioner considers appropriate in the light of any representations made by the OES or RDSP and any steps taken by the OES or RDSP to rectify the failure or to do one or more of the things required by an enforcement notice under regulation 17(3);

(d)specify the period within which the penalty must be paid (“the payment period”) and the date on which the payment period is to commence;

(e)provide details of the appeal process under regulation 19A; and

(f)specify the consequences of failing to make payment within the payment period.

(3E) It is the duty of the OES or RDSP to comply with any requirement imposed by a penalty notice.]

(4) A competent authority or the Information Commissioner may withdraw a penalty notice by informing the person upon whom it was served in writing.

(5) The sum [F53of any penalty imposed] under this regulation must be an amount that—

(a)the competent authority or Information Commissioner determines is appropriate and proportionate to the failure in respect of which it is imposed; and

(b)is in accordance with paragraph (6).

(6) The amount F54... must—

(a)not exceed £1,000,000 for any contravention which the [F55NIS] enforcement authority determines [F56was not a material contravention];

F57(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(c)not exceed £8,500,000 for a material contravention which the [F58NIS] enforcement authority determines [F59does not meet the criteria set out in sub-paragraph (d)]; and

(d)not exceed £17,000,000 for a material contravention which the [F60NIS] enforcement authority determines [F61has or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES or RDSP.]

(7) In this regulation—

[F62(a)“a material contravention” means—

(i)[F63a failure to take, or adequately take, one or more of the steps required under an enforcement notice within the period specified in that notice to rectify a failure described in one or more of—

(aa)sub-paragraphs (a) to (d) of regulation 17(1); or

(bb)sub- paragraphs (a) to (d) of regulation 17(2); or

(ii)where an enforcement notice was not served or where no steps were required to be taken under an enforcement notice, a failure described in one or more of—

(aa)sub-paragraphs (a) to (d) of regulation 17(1); or

(bb)sub-paragraphs (a) to (d) of regulation 17(2).]]

F64(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Independent review of designation decisions and penalty decisionsU.K.

F6519.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F66Appeal by an OES or RDSP to the First-tier TribunalU.K.

19A.—(1) An OES may appeal to the First-tier Tribunal against one or more of the following decisions of the designated competent authority for the OES on one or more of the grounds specified in paragraph (3)—

(a)a decision under regulation 8(3) to designate that person as an OES;

(b)a decision under regulation 9(1) or (2) to revoke the designation of that OES;

(c)a decision under regulation 17(1) to serve an enforcement notice on that OES;

(d)a decision under regulation 18(3A) to serve a penalty notice on that OES.

(2) A RDSP may appeal to the First-Tier Tribunal against one or both of the following decisions of the Information Commissioner on one or more of the grounds specified in paragraph (3)—

(a)a decision under regulation 17(2) to serve an enforcement notice on that RDSP;

(b)a decision under regulation 18(3B) to serve a penalty notice on that RDSP.

(3) The grounds of appeal referred to in paragraphs (1) and (2) are—

(a)that the decision was based on a material error as to the facts;

(b)that any of the procedural requirements under these Regulations in relation to the decision have not been complied with and the interests of the OES or RDSP have been substantially prejudiced by the non-compliance;

(c)that the decision was wrong in law;

(d)that there was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the interests of the OES or RDSP.]

[F66Decision of the First-tier TribunalU.K.

19B.—(1) The First-tier Tribunal must determine the appeal after considering the grounds of appeal referred to in regulation 19A(3) and by applying the same principles as would be applied by a court on an application for judicial review.

(2) The Tribunal may, until it has determined the appeal in accordance with paragraph (1) and unless the appeal is withdrawn, suspend the effect of the whole or part of any of the following decisions to which the appeal relates—

(a)a decision under regulation 8(3) to designate a person as an OES;

(b)a decision under regulation 9(1) or (2) to revoke the designation of a person as an OES;

(c)a decision under regulation 17(1) to serve an enforcement notice;

(d)a decision under regulation 17(2) to serve an enforcement notice;

(e)a decision under regulation 18(3A) to serve a penalty notice; or

(f)a decision under regulation 18(3B) to serve a penalty notice.

(3) The Tribunal may—

(a)confirm any decision to which the appeal relates; or

(b)quash the whole or part of any decision to which the appeal relates.

(4) Where the Tribunal quashes the whole or part of a decision to which the appeal relates, it must remit the matter back to the designated competent authority for the OES or, as the case may be, the Information Commissioner, with a direction to that authority or the Commissioner to reconsider the matter and make a new decision having regard to the ruling of the Tribunal.

(5) The relevant competent authority or, as the case may be, the Information Commissioner, must have regard to a direction under paragraph (4).

(6) Where the relevant competent authority or, as the case may be, the Information Commissioner, makes a new decision in accordance with a direction under paragraph (4), that decision is to be considered final.]

[F66Enforcement by civil proceedingsU.K.

A20.—(1) This regulation applies where—

(a)a designated competent authority for an OES has reasonable grounds to believe that the OES has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A); or

(b)the Information Commissioner has reasonable grounds to believe that a RDSP has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A).

(2) This regulation applies irrespective of whether the OES or RDSP has appealed to the First-tier Tribunal under regulation 19A.

(3) But where an OES or RDSP has appealed to the First-tier Tribunal under regulation 19A and the Tribunal has granted a suspension of the effect of the whole or part of the relevant decision under regulation 19B(2), the relevant competent authority or the Information Commissioner, as the case may be, may not bring or continue proceedings under this regulation in respect of that decision or that part of that decision for as long as the suspension has effect.

(4) Where paragraph (1)(a) applies, the relevant competent authority may commence civil proceedings against the OES—

(a)for an injunction to enforce the duty in regulation 17(3A);

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

(c)for any other appropriate remedy or relief.

(5) Where paragraph (1)(b) applies, the Information Commissioner may commence civil proceedings against the RDSP—

(a)for an injunction to enforce the duty in regulation 17(3A);

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

(c)for any other appropriate remedy or relief.

(6) No civil proceedings may be commenced under this regulation before the end of a period of 28 days beginning with the day on which the last relevant enforcement notice was served on the OES or, as the case may be, RDSP.

(7) In this regulation, a reference to civil proceedings is a reference to proceedings, other than proceedings in respect of an offence, before a civil court in the United Kingdom.]

Enforcement of penalty noticesU.K.

20.—(1) This paragraph applies where a sum is payable to an enforcement authority as a penalty under regulation 18.

(2) In England and Wales the penalty is recoverable as if it were payable under an order of the county court or of the High Court.

(3) In Scotland the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom.

(4) In Northern Ireland the penalty is recoverable as if it were payable under an order of a county court or of the High Court.

(5) Where action is taken under this paragraph for the recovery of a sum payable as a penalty under regulation 18, the penalty is —

(a)in relation to England and Wales, to be treated for the purposes of section 98 of the Courts Act 2003 M1 (register of judgments and order etc.) as if it were a judgment entered in the county court;

(b)in relation to Northern Ireland, to be treated for the purposes of Article 116 of the Judgments Enforcement (Northern Ireland) Order 1981 M2 (register of judgments) as if it were a judgment in respect of which an application has been accepted under Article 22 or 23(1) of that Order.

(6) No action may be taken under this paragraph for the recovery of a sum payable as a penalty under regulation 18 if [F67an appeal has been brought under regulation 19A and the appeal] has not been determined or withdrawn.