Article 1U.K.Subject matter

This Regulation specifies further the elements to be taken into account by [F1RDSPs] when identifying and taking measures to ensure a level of security of network and information systems which they use in the context of offering services referred to in Annex III to Directive (EU) 2016/1148 and specifies further the parameters to be taken into account to determine whether an incident has a substantial impact on the provision of those services.

[F3Article 1AU.K.Interpretation

In this Regulation—

• “NIS Regulations” means the Network and Information Systems Regulations 2018;

• “RDSP” has the same meaning as in the NIS Regulations.]

Article 2U.K.Security elements

1.Security of systems and facilities referred to in [F4regulation 12(2)(c)(i) of the NIS Regulations] means the security of network and information systems and of their physical environment and shall include the following elements:

(a)the systematic management of network and information systems, which means a mapping of information systems and the establishment of a set of appropriate policies on managing information security, including risk analysis, human resources, security of operations, security architecture, secure data and system life cycle management and where applicable, encryption and its management;

(b)physical and environmental security, which means the availability of a set of measures to protect the security of [F1RDSPs]' network and information systems from damage using an all-hazards risk-based approach, addressing for instance system failure, human error, malicious action or natural phenomena;

(c)the security of supplies, which means the establishment and maintenance of appropriate policies in order to ensure the accessibility and where applicable the traceability of critical supplies used in the provision of the services;

(d)the access controls to network and information systems, which means the availability of a set of measures to ensure that the physical and logical access to network and information systems, including administrative security of network and information systems, is authorised and restricted based on business and security requirements.

2.With regard to incident handling referred to in [F5regulation 12(2)(c)(ii) of the NIS Regulations], the measures taken by the [F2RDSP] shall include:

(a)detection processes and procedures maintained and tested to ensure timely and adequate awareness of anomalous events;

(b)processes and policies on reporting incidents and identifying weaknesses and vulnerabilities in their information systems;

(c)a response in accordance with established procedures and reporting the results of the measure taken;

(d)an assessment of the incident's severity, documenting knowledge from incident analysis and collection of relevant information which may serve as evidence and support a continuous improvement process.

3.Business continuity management referred to in [F6regulation 12(2)(c)(iii) of the NIS Regulations] means the capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incident and shall include:

(a)the establishment and the use of contingency plans based on a business impact analysis for ensuring the continuity of the services provided by [F1RDSPs] which shall be assessed and tested on a regular basis for example, through exercises;

(b)disaster recovery capabilities which shall be assessed and tested on a regular basis for example, through exercises.

4.The monitoring, auditing and testing referred to in [F7regulation 12(2)(c)(iv) of the NIS Regulations] shall include the establishment and maintenance of policies on:

(a)the conducting of a planned sequence of observations or measurements to assess whether network and information systems are operating as intended;

(b)inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, and efficiency and effectiveness targets are being met;

(c)a process intended to reveal flaws in the security mechanisms of a network and information system that protect data and maintain functionality as intended. Such process shall include technical processes and personnel involved in the operation flow.

5.International standards referred to in [F8regulation 12(2)(c)(v) of the NIS Regulations] mean standards that are adopted by an international standardisation body as referred to in point (a) of Article 2(1) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(2). [F9United Kingdom, European and internationally accepted standards and specifications relevant to the security of network and information systems may also be used.]

6.[F1RDSPs] shall ensure that they have adequate documentation available to enable the competent authority to verify compliance with the security elements set out in paragraphs 1, 2, 3, 4 and 5.

Article 3U.K.Parameters to be taken into account to determine whether the impact of an incident is substantial

1.With regard to the number of users affected by an incident, in particular users relying on the service for the provision of their own services referred to in [F10regulation 12(7)(a)(i) of the NIS Regulations], the [F2RDSP] shall be in a position to estimate either of the following:

(a)the number of affected natural and legal persons with whom a contract for the provision of the service has been concluded; or

(b)the number of affected users having used the service based in particular on previous traffic data.

2.The duration of an incident referred to in [F11regulation 12(7)(a)(ii) of the NIS Regulations] means the time period from the disruption of the proper provision of the service in terms of availability, authenticity, integrity or confidentiality until the time of recovery.

3.As far as the geographical spread with regard to the area affected by the incident referred to in [F12regulation 12(7)(a)(iii) of the NIS Regulations] is concerned, the [F2RDSP] shall be in a position to identify whether the incident affects the provision of its services in specific [F13areas of the United Kingdom].

4.The extent of disruption of the functioning of the service referred to in [F14regulation 12(7)(a)(iv) of the NIS Regulations] shall be measured as regards one or more of the following characteristics impaired by an incident: the availability, authenticity, integrity or confidentiality of data or related services.

5.With regard to the extent of the impact on economic and societal activities referred to in [F15regulation 12(7)(a)(v) of the NIS Regulations], the [F2RDSP] shall be able to conclude, based on indications such as the nature of his contractual relations with the customer or, where appropriate, the potential number of affected users, whether the incident has caused significant material or non-material losses for the users such as in relation to health, safety or damage to property.

6.For the purpose of paragraph 1, 2, 3, 4 and 5, the [F1RDSPs] shall not be required to collect additional information to which they do not have access.

F16Article 4U.K.Substantial impact of an incident

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 5U.K.Entry into force

1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.It shall apply from 10 May 2018.