The Network and Information Systems Regulations 2018

The duty to notify incidents

11.—(1) An OES must notify the designated competent authority about any incident which has a significant impact on the continuity of the essential service which that OES provides (“a network and information systems (“NIS”) incident”).

(2) In order to determine the significance of the impact of an incident an OES must have regard to the following factors—

(a)the number of users affected by the disruption of the essential service;

(b)the duration of the incident; and

(c)the geographical area affected by the incident.

(3) The notification mentioned in paragraph (1) must—

(a)provide the following—

(i)the operator’s name and the essential services it provides;

(ii)the time the NIS incident occurred;

(iii)the duration of the NIS incident;

(iv)information concerning the nature and impact of the NIS incident;

(v)information concerning any, or any likely, cross-border impact of the NIS incident; and

(vi)any other information that may be helpful to the competent authority; and

(b)be provided to the competent authority—

(i)without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred; and

(ii)in such form and manner as the competent authority determines.

(4) The information to be provided by an OES under paragraph (3)(a) is limited to information which may reasonably be expected to be within the knowledge of that OES.

(5) After receipt of a notification under paragraph (1), the competent authority must—

(a)assess what further action, if any, is required in respect of that incident; and

(b)share the NIS incident information with the CSIRT as soon as reasonably practicable.

(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT must inform the relevant authorities in a Member State if the incident has a significant impact on the continuity of an essential service provision in that Member State.

(7) After receipt of a notification under paragraph (1), the competent authority or CSIRT may inform—

(a)the OES who provided the notification about any relevant information that relates to the NIS incident, including how it has been followed up, in order to assist that operator to deal with that incident more effectively or prevent a future incident; and

(b)the public about the NIS incident, as soon as reasonably practicable, if the competent authority or CSIRT is of the view that public awareness is necessary in order to handle that incident or prevent a future incident.

(8) Before the competent authority or CSIRT informs the public about a NIS incident under paragraph (7)(b), the competent authority or CSIRT must consult each other and the OES who provided the notification under paragraph (1).

(9) The competent authority must provide an annual report to the SPOC identifying the number and nature of NIS incidents notified to it under paragraph (1).

(10) The first report mentioned in paragraph (9) must be submitted on or before 1st July 2018 and subsequent reports must be submitted at annual intervals.

(11) The CSIRT is not required to share information under paragraph (6) if the information contains—

(a)confidential information; or

(b)information which may prejudice the security or commercial interests of an OES.

(12) Operators of essential services must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed by paragraphs (1) to (4).