- Y Diweddaraf sydd Ar Gael (Diwygiedig)
- Gwreiddiol (a wnaed Fel)
There are currently no known outstanding effects for the The Network and Information Systems Regulations 2018, PART 4.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
12.—(1) A RDSP must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide, within the [F1United Kingdom], the following services—
(a)online marketplace;
(b)online search engine; or
(c)cloud computing service.
(2) The measures taken by a RDSP under paragraph (1) must—
(a)(having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed;
(b)prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services; and
(c)take into account the following elements as specified in Article 2 of EU Regulation 2018/151—
(i)the security of systems and facilities;
(ii)incident handling;
(iii)business continuity management;
(iv)monitoring auditing and testing; and
(v)compliance with international standards.
(3) A RDSP must notify the Information Commissioner [F2in writing] about any incident having a substantial impact on the provision of any of the digital services mentioned in paragraph (1) that it provides.
(4) The requirement to notify in paragraph (3) applies only if the RDSP has access to information which enables it to assess whether the impact of an incident is substantial.
(5) The notification mentioned in paragraph (3) must provide the following information—
[F3(a)the RDSP’s name and the digital services that it provides;]
(b)the time the F4... incident occurred;
(c)the duration of the F4... incident;
(d)information concerning the nature and impact of the F4... incident;
(e)information concerning any, or any likely, cross-border impact of the F4... incident; and
(f)any other information that may be helpful to the [F5Information Commissioner].
(6) The notification under paragraph (3) must—
(a)be made without undue delay and in any event no later than 72 hours after the RDSP is [F6first] aware that an incident has occurred; and
(b)contain sufficient information to enable the Information Commissioner to determine the significance of any cross-border impact.
(7) In order to determine whether the impact of an incident is substantial the RDSP must—
(a)take into account the following parameters, as specified in Article 3 of EU Regulation 2018/151—
(i)the number of users affected by the incident and, in particular, the users relying on the digital service for the provision of their own services;
(ii)the duration of the incident;
(iii)the geographical area affected by the incident;
(iv)the extent of the disruption to the functioning of the service;
(v)the extent of the impact on economic and societal activities; and
[F7(b)have regard to any relevant guidance published by the Information Commissioner.]
(8) After receipt of a notification under paragraph (3) the Information Commissioner must share the incident notification with the CSIRT as soon as reasonably practicable.
(9) If an OES is reliant on a RDSP to provide an essential service, the operator must notify the [F8designated competent authority for the OES in writing] in relation to it about any significant impact on the continuity of the service it provides caused by an incident affecting the RDSP [F9without undue delay].
F10(10) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(11) The Information Commissioner is not required to share information under [F11these Regulations] if the information contains—
(a)confidential information; or
(b)information which may prejudice the security or commercial interests of a RDSP.
(12) If the Information Commissioner or CSIRT—
(a)consults with the RDSP responsible for an incident notification under paragraph (3), and
(b)is of the view that public awareness about that incident is necessary to prevent or manage it, or is in the public interest,
the Information Commissioner or CSIRT may inform the public about that incident or [F12the Commissioner may] direct the RDSP responsible for the notification to do so.
(13) Before the Information Commissioner or CSIRT informs the public about an incident notified under paragraph (3), the Information Commissioner or CSIRT must consult each other and the RDSP who provided the notification.
(14) The Information Commissioner may inform the public about an incident affecting digital services in [F13a Member State of the EU] if—
(a)the relevant authorities in the affected Member State notify the Information Commissioner about the incident;
(b)the Commissioner consults with those relevant authorities; and
(c)the Commissioner is of the view mentioned in [F14paragraph (12)(b)].
(15) The Information Commissioner must provide an annual report to the SPOC identifying the number and nature of incidents notified to it under paragraph (3).
(16) The first report mentioned in paragraph (15) must be submitted on or before 1st July 2018 and subsequent reports must be submitted at annual intervals after that date.
F15(17) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F1Words in reg. 12(1) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 11(a); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in reg. 12(3) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(a) (with reg. 21)
F3Reg. 12(5)(a) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(b)(i) (with reg. 21)
F4Word in reg. 12(5)(b)-(e) omitted (31.12.2020) by virtue of The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(b)(ii) (with reg. 21)
F5Words in reg. 12(5)(f) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(b)(iii) (with reg. 21)
F6Word in reg. 12(6)(a) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(c) (with reg. 21)
F7Reg. 12(7)(b) substituted (12.1.2022) by The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 (S.I. 2021/1461), regs. 1, 3(2)
F8Words in reg. 12(9) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(d)(i) (with reg. 21)
F9Words in reg. 12(9) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(d)(ii) (with reg. 21)
F10Reg. 12(10) omitted (20.1.2021) by virtue of The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 11(b) (as amended by S.I. 2019/1444, regs. 1(2), 4); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in reg. 12(11) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 11(c); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in reg. 12(12) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 9(e) (with reg. 21)
F13Words in reg. 12(14) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 11(d); 2020 c. 1, Sch. 5 para. 1(1)
F14Words in reg. 12(14)(c) substituted (20.6.2018) by The Network and Information Systems (Amendment) Regulations 2018 (S.I. 2018/629), regs. 1, 2(7)(c)
F15Reg. 12(17) omitted (20.1.2021) by virtue of The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 11(e); 2020 c. 1, Sch. 5 para. 1(1)
13. The Information Commissioner may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the Information Commissioner considers that to do so would be in the interests of effective supervision of digital service providers (whether inside or outside the United Kingdom), including in the event of an incident notified under regulation 12(3).]
Textual Amendments
14.—(1) The Information Commissioner must maintain a register of all RDSPs that have been notified to it.
(2) A RDSP must submit the following details to the Information Commissioner before the registration date for the purpose of maintaining the register mentioned in paragraph (1)—
(a)the name of the RDSP;
(b)the address of its head office, or of its nominated representative; and
(c)up-to-date contact details (including email addresses and telephone numbers).
(3) A RDSP must notify the Information Commissioner [F17in writing] about any changes to the details it submitted under paragraph (2) as soon as possible, and in any event within three months of the date on which the change took effect.
(4) In this regulation, the “registration date” means—
(a)1st November 2018, in the case of a RDSP who satisfies the conditions mentioned in regulation 1(3)(e) on the coming into force date of these Regulations, or
(b)in any other case, the date three months after the RDSP satisfies those conditions.
Textual Amendments
F17Words in reg. 14(3) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 10 (with reg. 21)
14A.—(1) This regulation applies to any digital service provider which—
(a)has its head office outside the United Kingdom, but which offers digital services within the United Kingdom; and
(b)is not a small or micro enterprise as defined in Commission Recommendation 2003/361/EC.
(2) The digital service provider must—
(a)nominate in writing a representative in the United Kingdom; and
(b)notify the Information Commissioner of the name and contact details of that representative.
(3) The digital service provider must comply with paragraph (2)—
(a)in the case of a provider which is offering digital services within the United Kingdom on the coming into force date of these regulations, within three months of the date on which these regulations come into force; or
(b)in any other case, within three months of the provider first offering digital services in the United Kingdom.
(4) The Information Commissioner or GCHQ may contact the representative instead of or in addition to the digital service provider for the purposes of ensuring compliance with these Regulations.
(5) A nomination under paragraph (1) is without prejudice to any legal action which could be initiated against the nominating digital service provider.]
Textual Amendments
Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.
Gwreiddiol (Fel y’i Deddfwyd neu y’i Gwnaed): Mae'r wreiddiol fersiwn y ddeddfwriaeth fel ag yr oedd pan gafodd ei deddfu neu eu gwneud. Ni wnaed unrhyw newidiadau i’r testun.
Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Mae Memoranda Esboniadol yn nodi datganiad byr o ddiben Offeryn Statudol ac yn rhoi gwybodaeth am ei amcan polisi a goblygiadau polisi. Maent yn ceisio gwneud yr Offeryn Statudol yn hygyrch i ddarllenwyr nad oes ganddynt gymhwyster cyfreithiol, ac maent yn cyd-fynd ag unrhyw Offeryn Statudol neu Offeryn Statudol Drafft a gyflwynwyd ger bron y Senedd o Fehefin 2004 ymlaen.
Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:
liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys