Citation, commencement, application and interpretation

1.—(1) These Regulations may be cited as the Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 and come into force on 31st December 2020.

(2) These Regulations apply to—

(a)the United Kingdom, including its internal waters;

(b)the territorial sea adjacent to the United Kingdom; and

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964(3).

(3) In these Regulations, “the 2018 Regulations” means the Network and Information Systems Regulations 2018(4).

Amendment of the 2018 Regulations

2.  The 2018 Regulations are amended in accordance with regulations 3 to 20.

Amendments to regulation 1 (citation, commencement, interpretation and application)

3.  In regulation 1—

(a)in paragraph (2)—

(i)insert the following definitions in the appropriate places—

““First-tier Tribunal” has the meaning given by section 3(1) of the Tribunals, Courts and Enforcement Act 2007(5)”;

““OES” (“operator of an essential service”) means a person who is deemed to be designated as an operator of an essential service under regulation 8(1) or is designated as an operator of an essential service under regulation 8(3);”;

(ii)omit the definition of “operator of an essential service”;

(b)in paragraph (3)(d)—

(i)for “an operator of an essential service” substitute “an OES”;

(ii)for “that operator” substitute “that OES”.

Amendments to regulation 6 (information sharing - enforcement authorities)

4.  In regulation 6—

(a)in paragraph (1)—

(i)in the opening text, after “with” insert “each other, relevant law-enforcement authorities,”;

(ii)for sub-paragraph (a) substitute—

“(a)necessary for—

(i)the purposes of these Regulations or of facilitating the performance of any functions of a NIS enforcement authority under or by virtue of these Regulations or any other enactment;

(ii)national security purposes; or

(iii)purposes related to the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution;”;

(b)after paragraph (1), insert—

“(1A) Information shared under paragraph (1) may not be further shared by the person with whom it is shared under that paragraph for any purpose other than a purpose mentioned in that paragraph unless otherwise agreed by the NIS enforcement authority.”.

Amendments to regulation 8 (identification of operators of essential services)

5.  In regulation 8—

(a)after paragraph (1), insert—

“(1A) Paragraph (1) does not apply to a network provider or service provider who is subject to the requirements of sections 105A to 105C of the Communications Act 2003(6) and in this paragraph “network provider” and “service provider” have the meanings given in section 105A(5) of that Act.”;

(b)in paragraph (2), after “authority” insert “in writing”;

(c)in paragraph (6), omit sub-paragraph (a) and “and” after it;

(d)after paragraph (7), insert—

“(7A) If a person has reasonable grounds to believe that they no longer fall within paragraph (1) or that the conditions for designation under paragraph (3) are no longer met in relation to them, they must as soon as practicable notify the designated competent authority in writing and provide with that notification evidence supporting that belief.

(7B) A competent authority that receives from a person a notification and supporting evidence referred to in paragraph (7A) must have regard to that notification and evidence in considering whether to revoke that person’s designation.”.

Insertion of regulation 8A

6.  After regulation 8, insert—

“Nomination by an OES of a person to act on its behalf in the United Kingdom

8A.—(1) This regulation applies to any OES(7) who has their head office outside the United Kingdom and—

(a)provides an essential service of a kind referred to in one or more of paragraphs 1, 2, 3 and 10 of Schedule 2 (energy or digital infrastructure sector) within the United Kingdom; or

(b)provides an essential service of a kind referred to in one or more of paragraphs 4 to 9 of Schedule 2 (transport, health or drinking water supply and distribution sector) within the United Kingdom and falls within paragraph (2).

(2) An OES falls within this paragraph if they have received a notice in writing from a designated competent authority for the OES requiring them to comply with this regulation.

(3) An OES to whom this regulation applies must—

(a)nominate in writing a person in the United Kingdom with the authority to act on their behalf under these Regulations, including for the service of documents for the purposes of regulation 24 (a “nominated person”);

(b)before the relevant date, notify the designated competent authority for the OES in writing of—

(i)their name;

(ii)the name and address of the nominated person; and

(iii)up-to-date contact details of the nominated person (including email addresses and telephone numbers).

(4) The OES must notify the designated competent authority for the OES of any changes to the information notified under paragraph (3)(b) as soon as practicable and in any event within seven days beginning with the day on which the change took effect.

(5) The designated competent authority for the OES and GCHQ may, for the purposes of carrying out their responsibilities under these Regulations, contact the nominated person instead of or in addition to the OES.

(6) A nomination under paragraph (3) is without prejudice to any legal action which could be initiated against the OES.

(7) In this regulation, “relevant date” means the date three months after—

(a)the first day (including that day) on which the OES was deemed to be designated as an OES under regulation 8(1); or

(b)the day (including that day) on which the OES was designated as an OES under regulation 8(3),

unless the first day referred to in sub-paragraph (a) or the day referred to in sub-paragraph (b) was before 31st December 2020 in which case it means 31st March 2021.”.

Amendments to regulation 9 (revocation)

7.  In regulation 9—

(a)in paragraph (1)—

(i)for the words from “satisfies” to “competent authority” substitute “is deemed to be designated as an OES under regulation 8(1), the designated competent authority for the OES”;

(ii)for “of that person, by notice” substitute “, by notice in writing”;

(b)in paragraph (2)—

(i)for the words from the beginning to “a person” substitute “The designated competent authority for an OES may revoke the designation of that OES”;

(ii)after “notice” insert “in writing”;

(c)in paragraph (3), in the opening text, after “a person”, in both places those words occur, insert “as an OES”.

Amendment to regulation 11 (duty to notify incidents)

8.  In regulation 11(1), after “authority” insert “for the OES in writing”.

Amendments to regulation 12 (relevant digital service providers)

9.  In regulation 12—

(a)in paragraph (3), after “Commissioner” insert “in writing”;

(b)in paragraph (5)—

(i)for sub-paragraph (a) substitute—

“(a)the RDSP’s(8) name and the digital services that it provides;”;

(ii)in each of sub-paragraphs (b) to (e), omit “NIS”;

(iii)in sub-paragraph (f), for “competent authority” substitute “Information Commissioner”;

(c)in paragraph (6)(a), after “RDSP is” insert “first”;

(d)in paragraph (9)—

(i)for “relevant competent authority” substitute “designated competent authority for the OES in writing”;

(ii)for “as soon as it occurs” substitute “without undue delay”;

(e)in paragraph (12), in the closing text, after “incident or” insert “the Commissioner may”.

Amendment to regulation 14 (registration with the Information Commissioner)

10.  In regulation 14(3), after “Commissioner” insert “in writing”.

Amendments to regulation 15 (information notices)

11.  In regulation 15—

(a)in paragraph (1), in the opening text—

(i)after “notice” insert “in writing”;

(ii)for “information that” substitute “all such information as”;

(b)in paragraph (2)—

(i)in the opening text—

(aa)after “notice” insert “in writing”;

(bb)for “that person” substitute “the OES”;

(cc)for “information that” substitute “all such information as”;

(dd)for “to assess” substitute “for one or more of the following purposes”;

(ii)for sub-paragraphs (a) and (b) substitute—

“(a)to assess the security of the OES’s network and information systems;

(b)to establish whether there have been any events that the authority has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

(c)to identify any failure of the OES to comply with any duty set out in these Regulations;

(d)to assess the implementation of the OES’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.”;

(c)in paragraph (3)—

(i)in the opening text—

(aa)after “notice” insert “in writing”;

(bb)for “information that” substitute “all such information as”;

(cc)for “to assess” substitute “for one or more of the following purposes”;

(ii)for sub-paragraphs (a) and (b) substitute—

“(a)to assess the security of the RDSP’s network and information systems;

(b)to establish whether there have been any events that the Commissioner has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

(c)to identify any failure of the RDSP to comply with any duty set out in these Regulations;

(d)to assess the implementation of the RDSP’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.”;

(d)omit paragraph (4);

(e)after paragraph (5) insert—

“(5A) A person upon whom an information notice has been served under this regulation must comply with the requirements of the notice.”.

Amendments to regulation 16 (power of inspection)

12.  In regulation 16—

(a)in paragraph (1)—

(i)for the opening text substitute “The designated competent authority for an OES may—”;

(ii)in each of sub-paragraphs (a) and (b), after “conduct” insert “all or any part of”;

(iii)after sub-paragraph (b) omit “or”;

(iv)in sub-paragraph (c), after “conduct” insert “all or any part of”;

(v)omit the closing text;

(b)in paragraph (2)—

(i)in each of sub-paragraphs (a) and (b), after “conduct” insert “all or any part of”;

(ii)after sub-paragraph (b) omit “or”;

(iii)in sub-paragraph (c), after “conduct” insert “all or any part of”;

(iv)omit the closing text;

(c)in paragraph (3)—

(i)at the end of sub-paragraph (a), insert “if so required by the relevant competent authority or the Information Commissioner”;

(ii)in sub-paragraph (b), for the words from “person” to the end substitute “inspector”;

(iii)in sub-paragraph (c)—

(aa)omit “reasonable”; and

(bb)at the end, insert “in accordance with paragraph (5)(a)”;

(iv)for sub-paragraph (d) and “and” after that sub-paragraph substitute—

“(d)allow the inspector to examine, print, copy or remove any document or information, and examine or remove any material or equipment, in accordance with paragraph (5)(d);”;

(v)after sub-paragraph (e), insert—

“(f)not intentionally obstruct an inspector performing their functions under these Regulations; and

(g)comply with any request made by, or requirement of, an inspector performing their functions under these Regulations.”;

(d)in paragraph (4)—

(i)after “The”, insert “relevant”;

(ii)for “carry out” substitute “conduct all or any part of”;

(e)after paragraph (4), insert—

“(5) An inspector may—

(a)at any reasonable time enter the premises of an OES or RDSP (except any premises used wholly or mainly as a private dwelling) if the inspector has reasonable grounds to believe that entry to those premises may be necessary or helpful for the purpose of the inspection;

(b)require an OES or RDSP to leave undisturbed and not to dispose of, render inaccessible or alter in any way any material, document, information, in whatever form and wherever it is held (including where it is held remotely), or equipment which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

(c)require an OES or RDSP to produce and provide the inspector with access, for the purposes of the inspection, to any such material, document, information or equipment which is, or which the inspector considers to be, relevant to the inspection, either immediately or within such period as the inspector may specify;

(d)examine, print, copy or remove any document or information, and examine or remove any material or equipment (including for the purposes of printing or copying any document or information) which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

(e)take a statement or statements from any person;

(f)conduct, or direct the OES or RDSP to conduct, tests;

(g)take any other action that the inspector considers appropriate and reasonably required for the purposes of the inspection.

(6) The inspector must—

(a)produce proof of the inspector’s identity if requested by any person present at the premises; and

(b)take appropriate and proportionate measures to ensure that any material, document, information or equipment removed in accordance with paragraph (5)(d) is kept secure from unauthorised access, interference and physical damage.

(7) Before exercising any power under paragraph (5)(b) to (d) or (g), the inspector—

(a)must take such measures as appear to the inspector appropriate and proportionate to ensure that the ability of the OES or RDSP, as the case may be, to comply with any duty set out in these Regulations will not be affected; and

(b)may consult such persons as appear to the inspector appropriate for the purpose of ascertaining the risks, if any, there may be in doing anything which the inspector proposes to do under that power.

(8) Where under paragraph (5)(d) an inspector removes any document, material or equipment, the inspector must provide, to the extent practicable, a notice giving—

(a)sufficient particulars of that document, material or equipment for it to be identifiable; and

(b)details of any procedures in relation to the handling or return of the document, material or equipment.

(9) In this regulation—

(a)a reference to a “test” is a reference to any process which is—

(i)employed to verify assertions about the security of a network or information system; and

(ii)based on interacting with that system, including components of that system,

and includes the exercising of any relevant security or resilience management process;

(b)“inspection” means any activity carried out (including any steps mentioned in paragraph (5)) for the purpose of—

(i)verifying compliance with the requirements of these Regulations; or

(ii)assessing or gathering evidence of potential or alleged failures to comply with the requirements of these Regulations,

including any necessary follow-up activity for either purpose;

(c)“inspector” means any person conducting all or any part of an inspection in accordance with paragraph (1) or (2).”.

Amendments to regulation 17 (enforcement for breach of duties)

13.  In regulation 17—

(a)in the heading, after “enforcement” insert “notices”;

(b)in paragraph (1)—

(i)in the opening text—

(aa)at the beginning, insert “Subject to paragraph (2A),”;

(bb)omit “competent” in the second place it occurs;

(ii)before sub-paragraph (a) insert—

“(za)notify it under regulation 8(2);

(zb)comply with the requirements stipulated in regulation 8A;”;

(c)in paragraph (2)—

(i)at the beginning insert “Subject to paragraph (2A),”;

(ii)after sub-paragraph (d) insert—

“(da)comply with the requirements stipulated in regulation 14A(9);”;

(d)after paragraph (2), insert—

“(2A) Before serving an enforcement notice under paragraph (1) or (2), the relevant competent authority or the Information Commissioner must inform the OES or RDSP, in such form and manner as it considers appropriate having regard to the facts and circumstances of the case, of—

(a)the alleged failure; and

(b)how and by when representations may be made in relation to the alleged failure and any related matters.

(2B) When the relevant competent authority or the Information Commissioner informs the OES or RDSP in accordance with paragraph (2A), it may also provide notice of its intention to serve an enforcement notice.

(2C) The relevant competent authority or the Information Commissioner may serve an enforcement notice on the OES or RDSP within a reasonable time, irrespective of whether it has provided any notice in accordance with paragraph (2B), having regard to the facts and circumstances of the case, after it has informed the OES or RDSP in accordance with paragraph (2A).

(2D) The relevant competent authority or the Information Commissioner must have regard to any representations made under paragraph (2A)(b).”;

(e)in paragraph (3)—

(i)after sub-paragraph (b), insert “and”;

(ii)omit sub-paragraph (d) and “and” before it;

(f)after paragraph (3) insert—

“(3A) An OES or RDSP upon whom an enforcement notice has been served under paragraph (1) or (2) must comply with the requirements, if any, of the notice regardless of whether the OES or RDSP has paid any penalty imposed on it under regulation 18.”;

(g)in paragraph (4)(a)—

(i)for “the” substitute “any,”;

(ii)for “(3)(d)” substitute “(2A)”.

Amendments to regulation 18 (penalties)

14.  In regulation 18—

(a)for paragraphs (1) and (2) substitute—

“(1) The designated competent authority for an OES may serve a notice of intention to impose a penalty on the OES if it has reasonable grounds to believe that the OES has failed to comply with a duty referred to in regulation 17(1) or the duty set out in regulation 17(3A) and considers that a penalty is warranted having regard to the facts and circumstances of the case.

(2) The Information Commissioner may serve a notice of intention to impose a penalty on a RDSP if it has reasonable grounds to believe that the RDSP has failed to comply with a duty referred to in regulation 17(2) or the duty set out in regulation (3A) and considers that a penalty is warranted having regard to the facts and circumstances of the case.”;

(b)in paragraph (3)—

(i)in the opening text, for “penalty notice” substitute “notice of intention to impose a penalty”;

(ii)in sub-paragraph (b), after “that is” insert “intended”;

(iii)in sub-paragraph (c), after “notice”, insert “of intention to impose a penalty”;

(iv)for sub-paragraphs (d) to (f) substitute—

“(d)the period within which a penalty will be required to be paid if a penalty notice is served;

(e)that the payment of a penalty under a penalty notice (if any) is without prejudice to the requirements of any enforcement notice (if any); and

(f)how and when representations may be made about the content of the notice of intention to impose a penalty and any related matters.”;

(c)after paragraph (3), insert—

“(3A) The relevant competent authority may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the OES with a final penalty decision if the authority is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

(3B) The Information Commissioner may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the RDSP with a final penalty decision if the Commissioner is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

(3C) The relevant competent authority or the Information Commissioner may serve a notice of intention to impose a penalty or a penalty notice irrespective of whether it has served or is contemporaneously serving an enforcement notice on the OES or RDSP under regulation 17(1) or (2).

(3D) A penalty notice must—

(a)be given in writing to the OES or RDSP;

(b)include reasons for the final penalty decision;

(c)require the OES or RDSP to pay—

(i)the penalty specified in the notice of intention to impose a penalty; or

(ii)such penalty as the relevant competent authority or the Information Commissioner considers appropriate in the light of any representations made by the OES or RDSP and any steps taken by the OES or RDSP to rectify the failure or to do one or more of the things required by an enforcement notice under regulation 17(3);

(d)specify the period within which the penalty must be paid (“the payment period”) and the date on which the payment period is to commence;

(e)provide details of the appeal process under regulation 19A; and

(f)specify the consequences of failing to make payment within the payment period.

(3E) It is the duty of the OES or RDSP to comply with any requirement imposed by a penalty notice.”;

(d)in paragraph (5), in the opening text, for the words from “that is” to “served” substitute “of any penalty imposed”;

(e)in paragraph (6)—

(i)in the opening text, omit “that is to be imposed under a penalty notice”;

(ii)in sub-paragraph (a)—

(aa)after “which the” insert “NIS”;

(bb)for “could not cause a NIS incident” substitute “was not a material contravention”;

(iii)omit sub-paragraph (b);

(iv)in sub-paragraph (c)—

(aa)after “which the” insert “NIS”;

(bb)for the words from “has caused” to the end substitute “does not meet the criteria set out in sub-paragraph (d)”;

(v)in sub-paragraph (d)—

(aa)after “which the” insert “NIS”;

(bb)for the words from “has caused” to the end substitute “has or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES or RDSP.”;

(f)in paragraph (7)—

(i)in sub-paragraph (a), for paragraphs (i) and (ii) substitute—

“(i)a failure to take, or adequately take, one or more of the steps required under an enforcement notice within the period specified in that notice to rectify a failure described in one or more of—

(aa)sub-paragraphs (a) to (d) of regulation 17(1); or

(bb)sub- paragraphs (a) to (d) of regulation 17(2); or

(ii)where an enforcement notice was not served or where no steps were required to be taken under an enforcement notice, a failure described in one or more of—

(aa)sub-paragraphs (a) to (d) of regulation 17(1); or

(bb)sub-paragraphs (a) to (d) of regulation 17(2).”;

(ii)omit sub-paragraph (b).

Omission of regulation 19 (independent review of designation decisions and penalty decisions)

15.  Omit regulation 19.

Insertion of new regulations 19A, 19B and A20

16.  Before regulation 20 insert—

“Appeal by an OES or RDSP to the First-tier Tribunal

19A.—(1) An OES may appeal to the First-tier Tribunal against one or more of the following decisions of the designated competent authority for the OES on one or more of the grounds specified in paragraph (3)—

(a)a decision under regulation 8(3) to designate that person as an OES;

(b)a decision under regulation 9(1) or (2) to revoke the designation of that OES;

(c)a decision under regulation 17(1) to serve an enforcement notice on that OES;

(d)a decision under regulation 18(3A) to serve a penalty notice on that OES.

(2) A RDSP may appeal to the First-Tier Tribunal against one or both of the following decisions of the Information Commissioner on one or more of the grounds specified in paragraph (3)—

(a)a decision under regulation 17(2) to serve an enforcement notice on that RDSP;

(b)a decision under regulation 18(3B) to serve a penalty notice on that RDSP.

(3) The grounds of appeal referred to in paragraphs (1) and (2) are—

(a)that the decision was based on a material error as to the facts;

(b)that any of the procedural requirements under these Regulations in relation to the decision have not been complied with and the interests of the OES or RDSP have been substantially prejudiced by the non-compliance;

(c)that the decision was wrong in law;

(d)that there was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the interests of the OES or RDSP.

Decision of the First-tier Tribunal

19B.—(1) The First-tier Tribunal must determine the appeal after considering the grounds of appeal referred to in regulation 19A(3) and by applying the same principles as would be applied by a court on an application for judicial review.

(2) The Tribunal may, until it has determined the appeal in accordance with paragraph (1) and unless the appeal is withdrawn, suspend the effect of the whole or part of any of the following decisions to which the appeal relates—

(a)a decision under regulation 8(3) to designate a person as an OES;

(b)a decision under regulation 9(1) or (2) to revoke the designation of a person as an OES;

(c)a decision under regulation 17(1) to serve an enforcement notice;

(d)a decision under regulation 17(2) to serve an enforcement notice;

(e)a decision under regulation 18(3A) to serve a penalty notice; or

(f)a decision under regulation 18(3B) to serve a penalty notice.

(3) The Tribunal may—

(a)confirm any decision to which the appeal relates; or

(b)quash the whole or part of any decision to which the appeal relates.

(4) Where the Tribunal quashes the whole or part of a decision to which the appeal relates, it must remit the matter back to the designated competent authority for the OES or, as the case may be, the Information Commissioner, with a direction to that authority or the Commissioner to reconsider the matter and make a new decision having regard to the ruling of the Tribunal.

(5) The relevant competent authority or, as the case may be, the Information Commissioner, must have regard to a direction under paragraph (4).

(6) Where the relevant competent authority or, as the case may be, the Information Commissioner, makes a new decision in accordance with a direction under paragraph (4), that decision is to be considered final.

Enforcement by civil proceedings

A20.—(1) This regulation applies where—

(a)a designated competent authority for an OES has reasonable grounds to believe that the OES has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A); or

(b)the Information Commissioner has reasonable grounds to believe that a RDSP has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A).

(2) This regulation applies irrespective of whether the OES or RDSP has appealed to the First-tier Tribunal under regulation 19A.

(3) But where an OES or RDSP has appealed to the First-tier Tribunal under regulation 19A and the Tribunal has granted a suspension of the effect of the whole or part of the relevant decision under regulation 19B(2), the relevant competent authority or the Information Commissioner, as the case may be, may not bring or continue proceedings under this regulation in respect of that decision or that part of that decision for as long as the suspension has effect.

(4) Where paragraph (1)(a) applies, the relevant competent authority may commence civil proceedings against the OES—

(a)for an injunction to enforce the duty in regulation 17(3A);

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988(10); or

(c)for any other appropriate remedy or relief.

(5) Where paragraph (1)(b) applies, the Information Commissioner may commence civil proceedings against the RDSP—

(a)for an injunction to enforce the duty in regulation 17(3A);

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

(c)for any other appropriate remedy or relief.

(6) No civil proceedings may be commenced under this regulation before the end of a period of 28 days beginning with the day on which the last relevant enforcement notice was served on the OES or, as the case may be, RDSP.

(7) In this regulation, a reference to civil proceedings is a reference to proceedings, other than proceedings in respect of an offence, before a civil court in the United Kingdom.”.

Amendment to regulation 20 (enforcement of penalty notices)

17.  In regulation 20(6), for the words from “a review” to “the review” substitute “an appeal has been brought under regulation 19A and the appeal”.

Amendment to regulation 23 (enforcement action – general considerations)

18.  In regulation 23(1), for “17 or 18” substitute “17(1) or (2), 18(3A) or (3B) or A20,”.

Amendments to regulation 25 (review and report)

19.  In regulation 25—

(a)in paragraph (2)—

(i)after “2020” insert, “, the second report must be published on or before 9th May 2022”;

(ii)for “biennial intervals” substitute “intervals not exceeding five years”;

(b)in paragraph (4), in the opening text, for “that Act” substitute “the Small Business, Enterprise and Employment Act 2015(11)”.

Amendments to Schedule 2 (essential services and threshold requirements)

20.  In Schedule 2—

(a)in paragraph 2 (the oil subsector)—

(i)in sub-paragraph (3)—

(aa)in paragraph (a), omit “capacity” and at the end insert “not including transmission of crude oil”;

(bb)in paragraph (b), omit “capacity”;

(ii)in sub-paragraph (4)—

(aa)in paragraph (a), after “facility,” insert “an operator of a facility with a throughput of more than 3,000,000 tonnes of oil equivalent per year,”;

(bb)in paragraph ((b) after “facility,” insert “an operator of a pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year.”;

(cc)omit the closing text;

(iii)in sub-paragraph (5), in the opening text—

(aa)for “oil” substitute “crude oil based fuel”;

(bb)for “treatment,” substitute “onshore”;

(iv)in sub-paragraph (6)—

(aa)in paragraph (i), for the words from “(other” to the end substitute “, an operator of an installation with a throughput of more than 3,000,000 tonnes of oil equivalent per year,”;

(bb)in paragraph (ii), after “installation,” insert “an operator of a pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year”;

(cc)omit the closing text;

(v)in sub-paragraph (8)—

(aa)in paragraph (c), for the words from “any” to the end substitute “substances derived from crude oil, not including crude oil itself;”;

(bb)for paragraph (e) substitute—

“(e)“gas processing facility” has the meaning given by section 12(6) of the Gas Act 1995(12);”;

(cc)after paragraph (j), insert—

“(ja)“operator” means—

(i)in relation to a pipeline—

(aa)the person who is to have or (once any fluid or any mixture of fluids is conveyed) has control over the conveyance of any fluid or any mixture of fluids in the pipeline;

(bb)until that person is known, the person who is to commission or (where commissioning has started) commissions the design and construction of the pipeline; or

(cc)when a pipeline is no longer used or is not for the time being used, the person last having control over the conveyance of fluid or any mixture of fluids in it;

(ii)in relation to a production installation—

(aa)the person appointed by the licensee of the operator or by any other person to manage and control directly the execution of the main functions of a production installation; or

(bb)the licensee, where it is not clear to the designated competent authority that one person has been appointed to perform the functions described in paragraph (aa) or, in the opinion of that authority, the person appointed to perform the functions described in that paragraph is incapable of performing those functions satisfactorily;”;

(dd)after paragraph (n), insert—

“(na)“production installation” has the meaning given by regulation 2(1) of the Offshore Installations (Safety Case) Regulations 2005(13);”;

(vi)in sub-paragraph (10)(c), after “sea” insert “(including the seabed and subsoil)”;

(vii)after sub-paragraph (10), insert—

“(11) In this paragraph, “Great Britain” includes—

(a)Great Britain;

(b)the territorial sea adjacent to Great Britain; and

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964(14).”.

(b)in paragraph 3 (the gas subsector)—

(i)in sub-paragraph (7), for paragraphs (a) and (b) substitute—

“(a)an operator of a relevant gas processing facility, an operator of a facility with a throughput of more than 3,000,000 tonnes of oil equivalent per year; or

(b)a relevant upstream pipeline and associated infrastructure that is connected to and operated from such a relevant gas processing facility, and critical to the continued operation of that facility, an operator of a pipeline with a throughput of more than 3,000,000 tonnes of oil equivalent per year.”;

(ii)in sub-paragraph (10)—

(aa)after paragraph (o), insert—

“(oa)“operator” means—

(i)in relation to a pipeline—

(aa)the person who is to have or (once any fluid or any mixture of fluids is conveyed) has control over the conveyance of any fluid or any mixture of fluids in the pipeline;

(bb)until that person is known, the person who is to commission or (where commissioning has started) commissions the design and construction of the pipeline; or

(cc)when a pipeline is no longer used or is not for the time being used, the person last having control over the conveyance of fluid or any mixture of fluids in it;

(ii)in relation to a production installation—

(aa)the person appointed by the licensee of the operator or by any other person to manage and control directly the execution of the main functions of a production installation; or

(bb)the licensee, where it is not clear to the designated competent authority that one person has been appointed to perform the functions described in paragraph (aa) or, in the opinion of that authority, the person appointed to perform the functions described in that paragraph is incapable of performing those functions satisfactorily;”;

(bb)after paragraph (s) insert—

“(sa)“production installation” has the meaning given by regulation 2(1) of the Offshore Installations (Safety Case) Regulations 2005;”;

(iii)in sub-paragraph (12)(c), after “sea” insert “(including the seabed and subsoil)”;

(iv)after sub-paragraph (12) insert—

“(13) In this paragraph, “Great Britain” includes—

(a)Great Britain;

(b)the territorial sea adjacent to Great Britain; and

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964.”;

(c)in paragraph 8(2)(c), for sub-paragraphs (iii) to (vi) substitute—

“and

(iii)a Special Health Board, constituted under section 2 of the National Health Service (Scotland) Act 1978(15);”;

(d)in paragraph 10 (the digital infrastructure subsector)—

(i)for sub-paragraphs (2) to (4) substitute—

“(2) For the essential service of a TLD Name Registry, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is a TLD Name Registry which services 14 billion or more queries from any devices located within the United Kingdom in any consecutive 168-hour period for domains registered within the Internet Corporation for Assigned Names and Numbers (“ICANN”).

(3) For the essential service of a DNS resolver service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is a DNS resolver service which services 500,000 or more different Internet Protocol addresses used by persons in the United Kingdom in any consecutive 168-hour period.

(3A) For the essential service of a DNS authoritative hosting service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is a DNS authoritative hosting service which services 100,000 or more domains registered to persons with an address in the United Kingdom.

(4) For the essential service of an IXP provided by an IXP operator, irrespective of its place of establishment (whether within, or outside of, the United Kingdom), the threshold in the United Kingdom is an IXP operator which has 30% or more market share amongst IXP operators in the United Kingdom, in terms of interconnected autonomous systems.”;

(ii)in sub-paragraph (5)—

(aa)in paragraph (a), for “domain name system” substitute “Domain Name System” and for the words from “in” to the end substitute “which processes and responds to queries for DNS resolution”;

(bb)in paragraph (b), for “domain name system” substitute “Domain Name System” and for “on” substitute “accessible via”;

(cc)after paragraph (c), omit “and” and insert—

“(ca)“IXP Operator” means a person who provides an IXP to another person and, where one or more persons are employed or engaged to provide an IXP under the direction or control of another person, it means only that other person;”.

Transitional and saving provisions

21.—(1) The 2018 Regulations as they were in force immediately before 31st December 2020 (“the pre-amendment Regulations”) continue to apply in respect of a request under regulation 19(1) or (2) of the 2018 Regulations where—

(a)the request was made before that date; and

(b)the reviewer has not before that date made any decision in relation to the request under regulation 19(9) of the 2018 Regulations.

(2) Where the pre-amendment Regulations continue to apply in accordance with paragraph (1) of this regulation and the reviewer upholds a designation decision or penalty decision in relation to an OES under regulation 19(9) of those Regulations—

(a)the relevant competent authority must—

(i)notify the OES that the OES may appeal to the First-tier Tribunal against the designation decision or penalty decision; and

(ii)explain to the OES the permitted grounds and procedure (including time limit) for bringing such an appeal; and

(b)the OES may appeal to the First-tier Tribunal against the designation decision or penalty decision on one or more of the following grounds—

(i)that the decision was based on a material error as to the facts;

(ii)that any of the procedural requirements under these Regulations in relation to the decision have not been complied with and the interests of the OES have been substantially prejudiced by the non-compliance;

(iii)that the decision was wrong in law;

(iv)that there was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the OES.

(3) Where the pre-amendment Regulations continue to apply in accordance with paragraph (1) of this regulation and the reviewer upholds a penalty decision in relation to a RDSP under regulation 19(9) of those Regulations—

(a)the Information Commissioner must—

(i)notify the RDSP that the RDSP may appeal to the First-tier Tribunal against the penalty decision; and

(ii)explain to the RDSP the permitted grounds and procedure (including time limit) for bringing such an appeal; and

(b)the RDSP may appeal to the First-tier Tribunal against the penalty decision on one or more of the following grounds—

(i)that the decision was based on a material error as to the facts;

(ii)that any of the procedural requirements under these Regulations in relation to the decision have not been complied with and the interests of the RDSP have been substantially prejudiced by the non-compliance;

(iii)that the decision was wrong in law;

(iv)that there was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the RDSP.

(4) For the purposes of rule 22(1)(b) of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009(16)—

(a)in the case of an appeal under paragraph (2)(b) of this regulation, the notice of the decision to which the proceedings relate is the notice referred to in paragraph (2)(a)(i) of this regulation;

(b)in the case of an appeal under paragraph (3)(b) of this regulation, the notice of the decision to which the proceedings relate is the notice referred to in paragraph (3)(a)(i) of this regulation.

(5) The Tribunal must determine the appeal after considering the grounds of appeal referred to in paragraph (2)(b) or (3)(b), as the case may be, and by applying the same principles as would be applied by a court in an application for judicial review.

(6) The Tribunal may, until the appeal is withdrawn, or, where it is not withdrawn, until it has determined the appeal in accordance with paragraph (5), suspend the effect of—

(a)a designation decision to which the appeal relates;

(b)a penalty decision to which the appeal relates.

(7) The Tribunal may—

(a)confirm one or, as the case may be, both of the decisions to which the appeal relates; or

(b)quash the whole or part of one or, as the case may be, both of the decisions to which the appeal relates.

(8) Where the Tribunal quashes the whole or part of a decision to which the appeal relates, it must remit the matter back to the relevant competent authority or, as the case may be, the Information Commissioner, with a direction to that authority or the Commissioner to reconsider the matter and make a new decision having regard to the ruling of the Tribunal.

(9) The relevant competent authority or, as the case may be, the Information Commissioner, must have regard to a direction under paragraph (8).

(10) Where the relevant competent authority or, as the case may be, the Information Commissioner, makes a new decision in accordance with a direction under paragraph (8), this decision is to be considered final.

(11) Words and expressions used but not defined in this regulation that are also used in the pre-amendment Regulations have the same meanings as in the pre-amendment Regulations.

EXPLANATORY NOTE

(This note is not part of the Regulations)

The Network and Information Systems Regulations 2018 (S.I. 2018/506) (“the 2018 Regulations”), as amended by the Network and Information Systems (Amendment) Regulations 2018 (S.I. 2018/629), implement Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the European Union (O.J. L 194, 19.7.2016, p. 1). These Regulations further amend the 2018 Regulations as follows.

Regulation 4 amends regulation 6 to extend the scope of the provision relating to the sharing of information by enforcement authorities.

Regulation 5 amends regulation 8 to make provision for the circumstances in which a person identified under that regulation as an operator of essential services (“OES”) has reasonable grounds to believe that they no longer meet the conditions for deemed or actual designation as an OES.

Regulation 6 inserts a new regulation (regulation 8A) in relation to an OES who has their head office outside the United Kingdom. It requires such an OES, or sets out the circumstances in which such an OES is required, to nominate a person to act on their behalf in the United Kingdom and makes further provision relating to that nomination.

Regulations 5, 7 to 11 and 14 make or include amendments to notice provisions to provide that they must be in writing.

Regulation 11 amends the provision in regulation 15 which sets out the purposes for which a competent authority designated under regulation 3(1) may serve an information notice upon an OES, corrects a drafting error in that regulation (by omitting paragraph (4)) and inserts a provision requiring compliance with information notices. Regulation 12 amends regulation 16 broadening the powers of inspection by, or initiated by, a NIS enforcement authority, that is, a designated competent authority (in relation to an OES) or the Information Commissioner (in relation to a relevant digital service provider (“RDSP”), as defined in regulation 1(3)(e)). Regulation 13 amends regulation 17 to extend the circumstances in which a NIS enforcement authority may serve an enforcement notice on an OES or RDSP for breaches of their duties under the 2018 Regulations. Regulation 14 amends regulation 18 so that it provides for the circumstances in which a NIS enforcement authority may serve a notice of intention to impose a penalty (rather than a penalty notice) and includes further new provision in relation to the imposition of penalties.

Regulation 15 removes the provisions (regulation 19) relating to the independent review of a decision to designate an OES or a penalty decision against an OES or RDSP. Regulation 16 inserts new regulations which provide for the circumstances in which an OES or RDSP may appeal to the First-tier Tribunal against a decision of a NIS enforcement authority (regulation 19A), how the Tribunal must determine the appeal (regulation 19B) and the circumstances in which a NIS enforcement authority may commence civil proceedings against an OES or RDSP (regulation A20).

Regulation 19 amends regulation 25 so that it provides that after the next report containing the Secretary of State’s conclusions of a review of the 2018 Regulations (to be published on or before 9th May 2022) subsequent reports must be published at intervals not exceeding five years (rather than biennially).

Regulation 20 amends the threshold requirements for qualification as an OES (for the purposes of regulation 8) in the oil, gas, healthcare (in Scotland) and digital infrastructure subsectors.

Regulation 21 makes transitional and saving provision for any request for an independent review of a decision under regulation 19 made before these Regulations come into force and makes new provision for appeals to the First-tier Tribunal.

An impact assessment for the 2018 Regulations has been produced by the Department for Digital, Culture, Media and Sport and is published alongside that instrument on www.legislation.gov.uk. A further impact assessment has not been produced for this instrument as no further significant impact on the private, and no impact on the voluntary, sector is foreseen.

An Explanatory Memorandum is published alongside this instrument at www.legislation.gov.uk.

The Directive referred to above is published at http://eur-lex.europa.eu.