- Latest available (Revised)
- Original (As made)
There are currently no known outstanding effects for the The Network and Information Systems Regulations 2018, Section 1.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
1.—(1) These Regulations may be cited as the Network and Information Systems Regulations 2018 and come into force on 10th May 2018.
(2) In these Regulations—
“cloud computing service” means a digital service that enables access to a scalable and elastic pool of shareable computing resources;
“the Commission” means the Commission of the European Union;
[F1“EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact;]
“Cooperation Group” means the group established under Article 11(1);
“CSIRTs network” means the network established under Article 12(1);
“digital service” means a service within the meaning of point (b) of Article 1(1) of Directive 2015/1535 which is of any the following kinds—
online marketplace;
online search engine;
cloud computing service;
“digital service provider” means any person who provides a digital service;
“Directive 2013/11” means Directive 2013/11/EU of the European Parliament and of the Council on alternative dispute resolution for consumer disputes M1, and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC, as amended from time to time;
“Directive 2015/1535” means Directive (EU) 2015/1535 of the European Parliament and of the Council laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services M2, as amended from time to time;
“Directive 2016/1148” means Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union M3, as amended from time to time;
“Drinking Water Quality Regulator for Scotland” means the person appointed by the Scottish Ministers under section 7(1) of the Water Industry (Scotland) Act 2002 M4;
“essential service” means a service which is essential for the maintenance of critical societal or economic activities;
[F2“First-tier Tribunal” has the meaning given by section 3(1) of the Tribunals, Courts and Enforcement Act 2007];
“GCHQ” means the Government Communications Headquarters within the meaning of section 3 of the Intelligence Services Act 1994 M5;
“incident” means any event having an actual adverse effect on the security of network and information systems;
“network and information system” (“NIS”) means—
an electronic communications network within the meaning of section 32(1) of the Communications Act 2003 M6;
any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
digital data stored, processed, retrieved or transmitted by elements covered under paragraph (a) or (b) for the purposes of their operation, use, protection and maintenance;
[F2“OES” (“operator of an essential service”) means a person who is deemed to be designated as an operator of an essential service under regulation 8(1) [F3or (2A)] or is designated as an operator of an essential service under regulation 8(3);]
“online marketplace” means a digital service that allows consumers and/or traders as respectively defined in point (a) and in point (b) of Article 4(1) of Directive 2013/11 to conclude online sales or service contracts with traders either on the online marketplace's website or on a trader's website that uses computing services provided by the online marketplace;
“online search engine” means a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found;
F4...
“relevant law-enforcement authority” has the meaning given in section 63A(1A) of the Police and Criminal Evidence Act 1984 M7; and
[F5“representative” means any natural or legal person established in the United Kingdom who is able to act on behalf of a digital service provider established outside the United Kingdom with regard to its obligations under these Regulations; and]
“risk” means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems.
(3) In these Regulations a reference to—
[F6(a)an Article, Annex or paragraph of an Article or Annex is a reference to the Article, Annex or paragraph as numbered in Directive 2016/1148.]
(b)a numbered regulation, paragraph or Schedule is a reference to the regulation, paragraph or Schedule as numbered in these Regulations;
(c)“the relevant authorities in a Member State” is a reference to the designated single point of contact (“SPOC”), computer security incident response team (“CSIRT”) [F7or] national competent authorities for that Member State;
(d)the “designated competent authority for [F8an OES]” is a reference to the competent authority that is designated under regulation 3(1) for the subsector in relation to which [F9that OES] provides an essential service;
(e)a “relevant digital service provider” (“RDSP”) is a reference to a person who provides a digital service in the United Kingdom and satisfies the following conditions—
(i)the head office for that provider is in the United Kingdom or that provider has nominated a representative who is established in the United Kingdom;
(ii)the provider is not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC M8;
(f)the “NIS enforcement authorities” is a reference to the competent authorities designated under regulation 3(1) and the Information Commissioner;
(g)“security of network and information systems” means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.
(4) Expressions and words used in these Regulations which are also used in Directive 2016/1148 have the same meaning as in Directive 2016/1148.
(5) Nothing in these Regulations prevents a person from taking an action (or not taking an action) which that person considers is necessary for the purposes of safeguarding the United Kingdom's essential State functions, in particular—
(a)safeguarding national security, including protecting information the disclosure of which the person considers is contrary to the essential interests of the United Kingdom's security; and
(b)maintaining law and order, in particular, to allow for the investigation, detection and prosecution of criminal offences M9.
(6) These Regulations apply to—
(a)the United Kingdom, including its internal waters;
(b)the territorial sea adjacent to the United Kingdom;
(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964 M10.
Textual Amendments
F1Words in reg. 1 inserted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 (S.I. 2019/653), reg. 1(2), Sch. para. 2; 2020 c. 1, Sch. 5 para. 1(1)
F2Words in reg. 1(2) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 3(a)(i) (with reg. 21)
F3Words in reg. 1(2) inserted (1.7.2022) by Health and Care Act 2022 (c. 31), s. 186(6), Sch. 4 para. 236; S.I. 2022/734, reg. 2(a), Sch. (with regs. 13, 29, 30)
F4Words in reg. 1(2) omitted (31.12.2020) by virtue of The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 3(a)(ii) (with reg. 21)
F5Words in reg. 1(2) inserted (20.1.2021) by The Network and Information Systems (Amendment etc.) (EU Exit) (No. 2) Regulations 2019 (S.I. 2019/1444), regs. 1(2), 2(2); 2020 c. 1, Sch. 5 para. 1(1)
F6Reg. 1(3)(a) substituted (20.6.2018) by The Network and Information Systems (Amendment) Regulations 2018 (S.I. 2018/629), regs. 1, 2(2)
F7Word in reg. 1(3)(c) substituted (20.6.2018) by The Network and Information Systems (Amendment) Regulations 2018 (S.I. 2018/629), regs. 1, 2(3)
F8Words in reg. 1(3)(d) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 3(b)(i) (with reg. 21)
F9Words in reg. 1(3)(d) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 3(b)(ii) (with reg. 21)
Marginal Citations
M1OJ No L 165, 18.6.2013, p63.
M2OJ No L 241, 17.9.2015, p1.
M3OJ No L 194, 19.7.2016, p1.
M51994 c.13. Section 3 was amended by section 251(1) and (2) of the Investigatory Powers Act 2016 (c. 25).
M62003 c.21. Section 32(1) was amended by regulation 2(1) of, and paragraphs 4 and 9(a) of Schedule 1 to, S.I. 2011/1210.
M71984 c.60. Section 63A(1A) and (1B) were substituted by section 81(2) of the Criminal Justice and Police Act 2001 (c.16). Subsection (1A) was amended by sections 117(5)(b) and 59 of, and paragraphs 43 and 46 of Schedule 4 to, the Serious and Organised Crime and Police Act 2005 (c. 15); and section 15(3) of, and paragraph 186 of Schedule 8 to, the Crime and Courts Act 2013 (c. 22).
M8Commission Recommendation concerning the definition of micro, small and medium-sized enterprises (OJ No. L 124, 20.5.2003, p. 36).
M9See Article 1(6) of Directive 2016/1148.
M101964 c. 29. Section 1(7) of the Continental Shelf Act 1964 was amended by section 37 of, and Schedule 3 to, the Oil and Gas (Enterprise) Act 1982 (c. 23), and section 103 of the Energy Act 2011 (c. 16).
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: