These Regulations are made in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018 (c. 16) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(d)) arising from the withdrawal of the United Kingdom from the European Union.

These Regulations amend both the retained EU law version of Commission Implementing Regulation (EU) 2018/151 and the Network and Information Systems Regulations 2018 (S.I. 2018/506) (which relate to securing network and information systems) by amending and removing certain criteria for managing and reporting cyber risks that apply to digital service providers where those criteria are no longer appropriate now that the United Kingdom has left the European Union. In particular, thresholds for reporting cyber incidents that were set by reference to the impact of the incident on the European Union’s population have been removed and these thresholds will instead be set in guidance.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sectors is foreseen.