- Latest available (Revised)
- Original (As made)
There are currently no known outstanding effects for the The Network and Information Systems Regulations 2018, Section 15.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
15.—(1) In order to assess whether a person should be an OES, a designated competent authority may serve an information notice [F1in writing] upon any person requiring that person to provide it with [F2all such information as] it reasonably requires to establish whether—
(a)a threshold requirement described in F3... Schedule 2 is met; or
(b)the conditions mentioned in regulation 8(3) are met.
(2) A designated competent authority may serve an information notice [F4in writing] upon an OES requiring [F5the OES] to provide it with [F6all such information as] it reasonably requires [F7for one or more of the following purposes]—
[F8(a)to assess the security of the OES’s network and information systems;
(b)to establish whether there have been any events that the authority has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;
(c)to identify any failure of the OES to comply with any duty set out in these Regulations;
(d)to assess the implementation of the OES’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.]
(3) The Information Commissioner may serve upon a RDSP an information notice [F9in writing] requiring that RDSP to provide the Information Commissioner with [F10all such information as] the Information Commissioner reasonably requires [F11for one or more of the following purposes]—
[F12(a)to assess the security of the RDSP’s network and information systems;
(b)to establish whether there have been any events that the Commissioner has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;
(c)to identify any failure of the RDSP to comply with any duty set out in these Regulations;
(d)to assess the implementation of the RDSP’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.]
F13(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(5) An information notice must—
(a)describe the information that is required by the designated competent authority or the Information Commissioner;
(b)provide the reasons for requesting such information;
(c)specify the form and manner in which the requested information is to be provided; and
(d)specify the time period within which the information must be provided.
[F14(5A) A person upon whom an information notice has been served under this regulation must comply with the requirements of the notice.]
(6) In a case falling within paragraph (1) the information notice may—
(a)be served by publishing it in such manner as the designated competent authority considers appropriate in order to bring it to the attention of any persons who are described in the notice as the persons from whom the information is required; and
(b)take the form of a general request for a certain category of persons to provide the information that is specified in the notice.
(7) A competent authority or the Information Commissioner may withdraw an information notice by written notice to the person on whom it was served.
(8) An information notice under paragraph (1) may not be served upon the SPOC or CSIRT.
Textual Amendments
F1Words in reg. 15(1) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(a)(i) (with reg. 21)
F2Words in reg. 15(1) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(a)(ii) (with reg. 21)
F3Words in reg. 15(1)(a) omitted (20.6.2018) by virtue of The Network and Information Systems (Amendment) Regulations 2018 (S.I. 2018/629), regs. 1, 2(8)
F4Words in reg. 15(2) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(b)(i)(aa) (with reg. 21)
F5Words in reg. 15(2) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(b)(i)(bb) (with reg. 21)
F6Words in reg. 15(2) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(b)(i)(cc) (with reg. 21)
F7Words in reg. 15(2) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(b)(i)(dd) (with reg. 21)
F8Reg. 15(2)(a)-(d) substituted for reg. 15(2)(a)(b) (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(b)(ii) (with reg. 21)
F9Words in reg. 15(3) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(c)(i)(aa) (with reg. 21)
F10Words in reg. 15(3) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(c)(i)(bb) (with reg. 21)
F11Words in reg. 15(3) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(c)(i)(cc) (with reg. 21)
F12Reg. 15(3)(a)-(d) substituted for reg. 15(3)(a)(b) (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(c)(ii) (with reg. 21)
F13Reg. 15(4) omitted (31.12.2020) by virtue of The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(d) (with reg. 21)
F14Reg. 15(5A) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 11(e) (with reg. 21)
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: