Amendment of the Network and Information Systems Regulations 2018

2.—(1) The Network and Information Systems Regulations 2018(1) are amended as follows.

(2) For paragraph (a) of regulation 1(3) (interpretation), substitute—

“(a)an Article, Annex or paragraph of an Article or Annex is a reference to the Article, Annex or paragraph as numbered in Directive 2016/1148.”.

(3) For paragraph (c) of regulation 1(3) (interpretation), for “and” substitute “or”.

(4) In paragraph (5) of regulation 3 (designation of national competent authorities), omit “by”.

(5) In paragraphs (1) and (3)(a) of regulation 8 (identification of operators of essential services), omit “paragraphs 1 to 9 of”.

(6) In paragraph (11) of regulation 8, for “the “notification” date means” substitute “the “notification date” means”.

(7) In regulation 12 (relevant digital service providers)—

(a)in paragraph (7)(b), before “situations” add “the”;

(b)in paragraph (11), for “paragraph (9)” substitute “paragraph (10)”; and

(c)in paragraph (14)(c), for “paragraph (11)(b)” substitute “paragraph (12)(b)”.

(8) In paragraph (1)(a) of regulation 15 (information notices), omit “paragraphs 1 to 9 of”.

(9) In regulation 18—

(a)in paragraph (3)(e), after “process”, insert “which may be”; and

(b)for paragraph (7)(a), substitute—

“(a)“a material contravention” means—

(i)a failure to take steps, or any adequate steps, within the stipulated time period to rectify a failing that is described in regulation 17(1)(a) to (d) or (2)(a) to (d); or

(ii)where no steps were required to be taken, a failing that is described in regulation 17(1)(a) to (d) or (2)(a) to (d);”.

(10) In paragraph 19, for “reviews” substitute “a review”.

(11) For paragraphs (3) to (5) of regulation 25 (review and report), substitute—

“(3) Section 30(3) of the Small Business, Enterprise and Employment Act 2015(2) requires that a review carried out under this regulation must, so far as is reasonable, have regard to how Directive 2016/1148(3) is implemented in other Member States.

(4) Section 30(4) of that Act requires that reports published under this regulation must, in particular—

(a)set out the objectives intended to be achieved by the regulatory provision referred to in paragraph (1)(a);

(b)assess the extent to which those objectives are achieved;

(c)assess whether those objectives remain appropriate; and

(d)if those objectives remain appropriate, assess the extent to which they could be achieved in another way which involves less onerous regulatory provision.

(5) In this regulation “regulatory provision” has the same meaning as in sections 28 to 32 of that Act.”.

(12) In Schedule 2—

(a)in sub-paragraph (a) of paragraph 5(6), insert “as” after “meaning”; and

(b)in sub-paragraph (a) of paragraph 7(3), insert “as” after “meaning”.