- Latest available (Revised)
- Original (As made)
The Network and Information Systems Regulations 2018
You are here:
- UK Statutory Instruments
- 2018 No. 506
- PART 3
- Regulation 11
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
More Resources
Changes over time for: Section 11
Alternative versions:
Changes to legislation:
There are currently no known outstanding effects for the The Network and Information Systems Regulations 2018, Section 11.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
The duty to notify incidentsU.K.
This section has no associated Explanatory Memorandum
11.—(1) An OES must notify the designated competent authority [F1for the OES in writing] about any incident which has a significant impact on the continuity of the essential service which that OES provides (“a network and information systems (“NIS”) incident”).
(2) In order to determine the significance of the impact of an incident an OES must have regard to the following factors—
(a)the number of users affected by the disruption of the essential service;
(b)the duration of the incident; and
(c)the geographical area affected by the incident.
(3) The notification mentioned in paragraph (1) must—
(a)provide the following—
(i)the operator's name and the essential services it provides;
(ii)the time the NIS incident occurred;
(iii)the duration of the NIS incident;
(iv)information concerning the nature and impact of the NIS incident;
(v)information concerning any, or any likely, cross-border impact of the NIS incident; and
(vi)any other information that may be helpful to the competent authority; and
(b)be provided to the competent authority—
(i)without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred; and
(ii)in such form and manner as the competent authority determines.
(4) The information to be provided by an OES under paragraph (3)(a) is limited to information which may reasonably be expected to be within the knowledge of that OES.
(5) After receipt of a notification under paragraph (1), the competent authority must—
(a)assess what further action, if any, is required in respect of that incident; and
(b)share the NIS incident information with the CSIRT as soon as reasonably practicable.
[F2(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT may inform the relevant authorities in a Member State if the CSIRT considers that the incident has a significant impact on the continuity of an essential service provision in that Member State.]
(7) After receipt of a notification under paragraph (1), the competent authority or CSIRT may inform—
(a)the OES who provided the notification about any relevant information that relates to the NIS incident, including how it has been followed up, in order to assist that operator to deal with that incident more effectively or prevent a future incident; and
(b)the public about the NIS incident, as soon as reasonably practicable, if the competent authority or CSIRT is of the view that public awareness is necessary in order to handle that incident or prevent a future incident.
(8) Before the competent authority or CSIRT informs the public about a NIS incident under paragraph (7)(b), the competent authority or CSIRT must consult each other and the OES who provided the notification under paragraph (1).
(9) The competent authority must provide an annual report to the SPOC identifying the number and nature of NIS incidents notified to it under paragraph (1).
(10) The first report mentioned in paragraph (9) must be submitted on or before 1st July 2018 and subsequent reports must be submitted at annual intervals.
(11) The CSIRT is not required to share information under paragraph (6) if the information contains—
(a)confidential information; or
(b)information which may prejudice the security or commercial interests of an OES.
(12) Operators of essential services must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed by paragraphs (1) to (4).
Textual Amendments
F1Words in reg. 11(1) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 8 (with reg. 21)
Options/Help
Print Options
PrintThe Whole Instrument
PrintThe Whole Part
PrintThis Section only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
Explanatory Memorandum
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as enacted version that was used for the print copy
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Impact Assessments
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
- Why the government is proposing to intervene;
- The main options the government is considering, and which one is preferred;
- How and to what extent new policies may impact on them; and,
- The estimated costs and benefits of proposed measures.
Timeline of Changes
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as made version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.