- Latest available (Revised)
- Original (As adopted by EU)
Commission Implementing Regulation (EU) 2018/151Show full title
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by RDSPs for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
You are here:
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
Opening Options
More Resources
Legislation originating from the EU
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
This item of legislation originated from the EU
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Changes over time for: Article 2
Changes to legislation:
There are currently no known outstanding effects for the Commission Implementing Regulation (EU) 2018/151, Article 2.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
Article 2U.K.Security elements
1.Security of systems and facilities referred to in [F1regulation 12(2)(c)(i) of the NIS Regulations] means the security of network and information systems and of their physical environment and shall include the following elements:
(a)the systematic management of network and information systems, which means a mapping of information systems and the establishment of a set of appropriate policies on managing information security, including risk analysis, human resources, security of operations, security architecture, secure data and system life cycle management and where applicable, encryption and its management;
(b)physical and environmental security, which means the availability of a set of measures to protect the security of [F2RDSPs]' network and information systems from damage using an all-hazards risk-based approach, addressing for instance system failure, human error, malicious action or natural phenomena;
(c)the security of supplies, which means the establishment and maintenance of appropriate policies in order to ensure the accessibility and where applicable the traceability of critical supplies used in the provision of the services;
(d)the access controls to network and information systems, which means the availability of a set of measures to ensure that the physical and logical access to network and information systems, including administrative security of network and information systems, is authorised and restricted based on business and security requirements.
2.With regard to incident handling referred to in [F3regulation 12(2)(c)(ii) of the NIS Regulations], the measures taken by the [F4RDSP] shall include:
(a)detection processes and procedures maintained and tested to ensure timely and adequate awareness of anomalous events;
(b)processes and policies on reporting incidents and identifying weaknesses and vulnerabilities in their information systems;
(c)a response in accordance with established procedures and reporting the results of the measure taken;
(d)an assessment of the incident's severity, documenting knowledge from incident analysis and collection of relevant information which may serve as evidence and support a continuous improvement process.
3.Business continuity management referred to in [F5regulation 12(2)(c)(iii) of the NIS Regulations] means the capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incident and shall include:
(a)the establishment and the use of contingency plans based on a business impact analysis for ensuring the continuity of the services provided by [F2RDSPs] which shall be assessed and tested on a regular basis for example, through exercises;
(b)disaster recovery capabilities which shall be assessed and tested on a regular basis for example, through exercises.
4.The monitoring, auditing and testing referred to in [F6regulation 12(2)(c)(iv) of the NIS Regulations] shall include the establishment and maintenance of policies on:
(a)the conducting of a planned sequence of observations or measurements to assess whether network and information systems are operating as intended;
(b)inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, and efficiency and effectiveness targets are being met;
(c)a process intended to reveal flaws in the security mechanisms of a network and information system that protect data and maintain functionality as intended. Such process shall include technical processes and personnel involved in the operation flow.
5.International standards referred to in [F7regulation 12(2)(c)(v) of the NIS Regulations] mean standards that are adopted by an international standardisation body as referred to in point (a) of Article 2(1) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(1). [F8United Kingdom, European and internationally accepted standards and specifications relevant to the security of network and information systems may also be used.]
6.[F2RDSPs] shall ensure that they have adequate documentation available to enable the competent authority to verify compliance with the security elements set out in paragraphs 1, 2, 3, 4 and 5.
Textual Amendments
F1Words in Art. 2(1) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 14(5)(a); 2020 c. 1, Sch. 5 para. 1(1)
F2Word in Regulation substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), Sch. para. 14(3); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in Art. 2(2) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 14(5)(b); 2020 c. 1, Sch. 5 para. 1(1)
F4Word in Regulation substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), Sch. para. 14(2); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in Art. 2(3) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 14(5)(c); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in Art. 2(4) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 14(5)(d); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in Art. 2(5) substituted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 14(5)(e); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in Art. 2(5) substituted (12.1.2022) by The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 (S.I. 2021/1461), regs. 1, 4(2)
(1)
Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
Options/Help
Print Options
PrintThe Whole Regulation
PrintThis Article only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.