Statutory Instruments
Exiting The European Union
Electronic Communications
Sift requirements satisfied
19th March 2019
Made
25th March 2019
Laid before Parliament
27th March 2019
Coming into force in accordance with regulation 1
The Secretary of State makes these Regulations in exercise of the powers conferred by section 8(1) of, and paragraph 21(b) of Schedule 7 to, the European Union (Withdrawal) Act 2018(1).
The requirements of paragraph 3(2) of Schedule 7 to that Act (relating to the appropriate Parliamentary procedure for these Regulations) have been satisfied.
1.—(1) These Regulations may be cited as the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019.
(2) These Regulations come into force on the twentieth day after exit day.
(3) In these Regulations, “the NIS Regulations” means the Network and Information Systems Regulations 2018(2).
2. In the Schedule—
(a)Part 1 amends domestic legislation (the NIS Regulations);
(b)Part 2 amends or revokes retained direct EU legislation.
Margot James
Minister for Digital and the Creative Industries
Department for Digital, Culture, Media and Sport
25th March 2019
Regulation 2
1. The NIS Regulations are amended as follows.
2. In regulation 1, after the definition of “the Commission”, insert—
““EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.”.
3. In regulation 2—
(a)omit paragraph (6);
(b)in paragraph (7), omit “or communicating it to the Commission”.
4. In regulation 3(3)—
(a)in subparagraph (c), omit “, including an indication of the importance of each operator in relation to the subsector in relation to which it provides an essential service”;
(b)omit subparagraph (g)(ii);
(c)after paragraph (3), insert—
“(3A) In relation to the subsector for which it is designated under paragraph (1), the competent authority may consult and co-operate with a public authority in the EU if it is in the interests of effective regulation of that subsector (whether inside or outside the United Kingdom).”.
5. In regulation 4—
(a)for paragraph (2), substitute—
“(2) The SPOC may liaise with the relevant authorities in any Member State of the EU, the Cooperation Group and the CSIRTs network if it considers it appropriate.”;
(b)after paragraph (2), insert—
“(2A) The SPOC must—
(a)consult and co-operate, as it considers appropriate, with relevant law enforcement authorities;
(b)co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.”;
(c)in paragraph (3)—
(i)in words before sub-paragraph (a), for “must”, substitute “may, if it considers it appropriate to do so”;
(ii)in subparagraph (b), omit “, indicating their importance in relation to that sector”;
(d)omit paragraphs (4) and (5).
6. In regulation 5—
(a)in paragraph (2), omit subparagraph (e);
(b)for paragraph (3) substitute—
“(3) The CSIRT may co-operate with or participate in international co-operation networks (including the CSIRTs network) if the CSIRT considers it appropriate to do so.”.
7. In regulation 6—
(a)in paragraph (1), for “the Commission and the relevant authorities in other Member States”, substitute “and public authorities in the EU”;
(b)in paragraph (2), for “the Commission or the relevant authorities in other Member States” substitute “a public authority in the EU”.
8. Omit regulation 8(7).
9. Omit regulation 9(5).
10. For regulation 11(6) substitute—
“(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT may inform the relevant authorities in a Member State if the CSIRT considers that the incident has a significant impact on the continuity of an essential service provision in that Member State.”.
11. In regulation 12—
(a)in paragraph (1), for “European Union” substitute “United Kingdom”;
(b)omit paragraphs (10) and (11);
(c)in paragraph (11), for “paragraph (10)”, substitute “these Regulations”;
(d)in paragraph (14), in the opening words, for “another Member State” substitute “a Member State of the EU”;
(e)omit paragraph (17).
12. For regulation 13 substitute—
13. The Information Commissioner may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the Information Commissioner considers that to do so would be in the interests of effective supervision of digital service providers (whether inside or outside the United Kingdom), including in the event of an incident notified under regulation 12(3).”.
13. In regulation 25—
(a)in paragraph (1)(a), after “these Regulations” insert “and in EU Regulation 2018/151”;
(b)omit paragraph (3).
14.—(1) Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact is amended as follows.
(2) For “digital service provider”, in each place it occurs, substitute “RDSP”.
(3) For “digital service providers”, in each place it occurs, substitute “RDSPs”.
(4) After Article 1, insert—
In this Regulation—
“NIS Regulations” means the Network and Information Systems Regulations 2018;
“RDSP” has the same meaning as in the NIS Regulations.”.
(5) In Article 2—
(a)In paragraph 1, for “point (a) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(i) of the NIS Regulations”;
(b)in paragraph 2, for “point (b) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(ii) of the NIS Regulations”;
(c)in paragraph 3, for “point (c) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(iii) of the NIS Regulations”;
(d)in paragraph 4, for “point (d) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(iv) of the NIS Regulations”;
(e)in paragraph 5, for “point (e) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(v) of the NIS Regulations”.
(6) In Article 3—
(a)in paragraph 1, for “point (a) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(i) of the NIS Regulations”;
(b)in paragraph 2, for “point (b) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(ii) of the NIS Regulations”;
(c)in paragraph 3—
(i)for “point (c) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(iii) of the NIS Regulations”;
(ii)after “Member States”, insert “of the EU”;
(d)in paragraph 4, for “point (d) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(iv) of the NIS Regulations”;
(e)in paragraph 5, for “point (e) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(v) of the NIS Regulations”.
(7) In Article 4—
(a)in paragraph 1—
(i)in point (a), before “Union” insert “European”;
(ii)in point (b), before “Union” insert “European”;
(iii)for point (d)—
(aa)before “Union” insert “European”;
(bb)for “EUR 1000 000” substitute “£880,000”;
(b)omit paragraph 2.
(8) After Article 5, omit the words from “This Regulation” to “Member States.”.
15. Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 is revoked.
16. In Annex 11 of the EEA Agreement, so far as it forms part of domestic law on and after exit day by virtue of section 3(1) of the European Union (Withdrawal) Act 2018, point 5cp is revoked insofar as it is retained EU law.
(This note is not part of the Regulations)
These Regulations are made in exercise of the powers conferred by section 8(1) of the European Union (Withdrawal) Act 2018 (c. 16) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under paragraphs (a), (b), (c), (d) and (g) of section 8(2)) which apply to this instrument arising from the withdrawal of the UK from the European Union.
Part 1 amends the Network and Information Systems Regulations 2018 (S.I. 2018/506) (the NIS Regulations) and Part 2 amends Commission Implementing Regulation (EU) 2018/151 (OJ No L 26, 31.1.2018, p. 48) as retained by the European Union (Withdrawal) Act 2018 (the Act) and revokes Regulation (EU) No 526/2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (the ENISA Regulation)(OJ L165, 18.6.2013, p.41) as retained by the Act.
The NIS Regulations place obligations on GCHQ and the NIS enforcement authorities (the Information Commissioner and the competent authorities which regulate the operators of essential services) to liaise, consult, co-operate and share information with certain EU bodies. The obligations derive from Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive)(OJ No L194, 19.7.2016, p.1). The UK will no longer be a Member State following the UK’s withdrawal from the EU and it will therefore no longer be appropriate to require these bodies to carry out these functions. These Regulations therefore amend the NIS Regulations so as to remove those obligations whilst retaining the ability of these bodies to continue to exercise those functions if required. These amendments are necessary in order to remove these deficient provisions from the UK statute book.
Regulation 2 of the NIS Regulations is amended so as to remove the obligation on UK ministers to communicate the NIS national strategy to the Commission. These amendments are necessary in order to remove these deficient provisions from the UK statute book.
Commission Implementing Regulation (EU) 2018/151 is amended so as to remove references to EU based services providers and to convert from Euros into sterling. These amendments are necessary in order to remove these deficient provisions from the UK statute book.
The ENISA Regulation is being revoked because it establishes and confers functions upon the European Union Agency for Network and Information Security (ENISA), which is an EU body. The Regulation is retained by the Act and cannot operate to have any effect in UK law. It is therefore being revoked so as to remove it from the UK statute book.
A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private or voluntary sector is foreseen.
An Explanatory Memorandum is published alongside the instrument at www.legislation.gov.uk.
The EU instruments referred to above are published at http://eur-lex.europa.eu.
S.I. 2018/506. This instrument was amended by S.I. 2018/629.