an Article, Annex or paragraph of an Article or Annex is a reference to the Article, Annex or paragraph as numbered in Directive 2016/1148.

a numbered regulation, paragraph or Schedule is a reference to the regulation, paragraph or Schedule as numbered in these Regulations;

“the relevant authorities in a Member State” is a reference to the designated single point of contact (“SPOC”), computer security incident response team (“CSIRT”) F2or national competent authorities for that Member State;

the “designated competent authority for F15an OES” is a reference to the competent authority that is designated under regulation 3(1) for the subsector in relation to which F16that OES provides an essential service;

the “NIS enforcement authorities” is a reference to the competent authorities designated under regulation 3(1) and the Information Commissioner;

“security of network and information systems” means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

safeguarding national security, including protecting information the disclosure of which the person considers is contrary to the essential interests of the United Kingdom's security; and

maintaining law and order, in particular, to allow for the investigation, detection and prosecution of criminal offences M9.

the United Kingdom, including its internal waters;

the territorial sea adjacent to the United Kingdom;

the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964 M10.

the sectors specified in column 1 of the table in Schedule 1 (“the relevant sectors”); and

digital services.

the regulatory measures and enforcement framework to secure the objectives and priorities of the strategy;

the roles and responsibilities of the key persons responsible for implementing the strategy;

the measures relating to preparedness, response and recovery, including cooperation between public and private sectors;

education, awareness-raising and training programmes relating to the strategy;

research and development plans relating to the strategy;

a risk assessment plan identifying any risks; and

a list of the persons involved in the implementation of the strategy.

review the application of these Regulations;

prepare and publish guidance;

keep a list of all the operators of essential services who are designated, or deemed to be designated, under regulation 8 F112...;

keep a list of all the revocations made under regulation 9;

send a copy of the lists mentioned in sub-paragraphs (c) and (d) to GCHQ, as the SPOC designated under regulation 4, to enable it to prepare the report mentioned in regulation 4(3);

consult and co-operate with the Information Commissioner when addressing incidents that result in breaches of personal data; and

review the application of these Regulations;

prepare and publish guidance; and

consult and co-operate with the persons mentioned in paragraph (3)(g), in order to fulfil the requirements of these Regulations.

published in such form and manner as the competent authority or Information Commissioner considers appropriate; and

reviewed at any time, and if it is revised following such a review, the competent authority or Information Commissioner must publish revised guidance as soon as reasonably practicable.

consult and co-operate, as it considers appropriate, with relevant law enforcement authorities;

co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.

the Cooperation Group based on the incident reports it received under regulation 11(9) and 12(15), including the number of notifications and the nature of notified incidents; and

the Commission identifying the number of operators of essential services for each subsector listed in Schedule 2 F118....

monitor incidents in the United Kingdom;

provide early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents;

respond to any incident notified to it under regulation 11(5)(b) or regulation 12(8);

provide dynamic risk and incident analysis and situational awareness;

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

establish relationships with the private sector to facilitate co-operation with that sector;

co-operate with NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.

limited to information which is relevant and proportionate to the purpose of the information sharing.

confidential information, or

information which may prejudice the security or commercial interests of operators of essential services or digital service providers.

a Northern Ireland Department may share information with the Northern Ireland competent authority; and

the Northern Ireland competent authority may share information with a Northern Ireland Department.

“the Northern Ireland competent authority” means the competent authority that is specified for Northern Ireland in column 3 of the table in Schedule 1 in relation to the subsectors specified in column 2 of that table; and

“a Northern Ireland Department” means a department mentioned in Schedule 1 to the Departments Act (Northern Ireland) 2016 M12.

relies on network and information systems; and

satisfies a threshold requirement described for that kind of essential service,

that person provides an essential service of a kind specified in F7... Schedule 2 for the subsector in relation to which the competent authority is designated under regulation 3(1);

the provision of that essential service by that person relies on network and information systems; and

the competent authority concludes that an incident affecting the provision of that essential service by that person is likely to have significant disruptive effects on the provision of the essential service.

the number of users relying on the service provided by the person;

the degree of dependency of the other relevant sectors on the service provided by that person;

the likely impact of incidents on the essential service provided by that person, in terms of its degree and duration, on economic and societal activities or public safety;

the market share of the essential service provided by that person;

the geographical area that may be affected if an incident impacts on the service provided by that person;

the importance of the provision of the service by that person for maintaining a sufficient level of that service, taking into account the availability of alternative means of essential service provision;

the likely consequences for national security if an incident impacts on the service provided by that person; and

any other factor the competent authority considers appropriate to have regard to, in order to arrive at a conclusion under this paragraph.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

invite the person to submit any written representations about the proposed decision to designate it as an OES.

10th August 2018, in the case of a person who falls within paragraph (1) on the date these Regulations come into force; or

in any other case, the date three months after the date on which the person falls within that paragraph.

provides an essential service of a kind referred to in one or more of paragraphs 1, 2, 3 and 10 of Schedule 2 (energy or digital infrastructure sector) within the United Kingdom; or

provides an essential service of a kind referred to in one or more of paragraphs 4 to 9 of Schedule 2 (transport, health or drinking water supply and distribution sector) within the United Kingdom and falls within paragraph (2).

nominate in writing a person in the United Kingdom with the authority to act on their behalf under these Regulations, including for the service of documents for the purposes of regulation 24 (a “nominated person”);

the first day (including that day) on which the OES was deemed to be designated as an OES under regulation 8(1); or

the day (including that day) on which the OES was designated as an OES under regulation 8(3),

serve a notice in writing of proposed revocation on that person;

provide reasons for the proposed decision;

invite that person to submit any written representations about the proposed decision within such time period as may be specified by the competent authority; and

consider any representations submitted by the person under sub-paragraph (c) before a final decision is taken to revoke the designation.

the number of users affected by the disruption of the essential service;

the duration of the incident; and

the geographical area affected by the incident.

assess what further action, if any, is required in respect of that incident; and

share the NIS incident information with the CSIRT as soon as reasonably practicable.

the OES who provided the notification about any relevant information that relates to the NIS incident, including how it has been followed up, in order to assist that operator to deal with that incident more effectively or prevent a future incident; and

the public about the NIS incident, as soon as reasonably practicable, if the competent authority or CSIRT is of the view that public awareness is necessary in order to handle that incident or prevent a future incident.

confidential information; or

information which may prejudice the security or commercial interests of an OES.

online marketplace;

online search engine; or

cloud computing service.

(having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed;

prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services; and

the RDSP’s name and the digital services that it provides;

the time the F32... incident occurred;

the duration of the F32... incident;

information concerning the nature and impact of the F32... incident;

information concerning any, or any likely, cross-border impact of the F32... incident; and

any other information that may be helpful to the F33Information Commissioner.

be made without undue delay and in any event no later than 72 hours after the RDSP is F34first aware that an incident has occurred; and

contain sufficient information to enable the Information Commissioner to determine the significance of any cross-border impact.

have regard to any relevant guidance published by the Information Commissioner.

confidential information; or

information which may prejudice the security or commercial interests of a RDSP.

consults with the RDSP responsible for an incident notification under paragraph (3), and

is of the view that public awareness about that incident is necessary to prevent or manage it, or is in the public interest,

the relevant authorities in the affected Member State notify the Information Commissioner about the incident;

the Commissioner consults with those relevant authorities; and

the Commissioner is of the view mentioned in F3paragraph (12)(b).

the name of the RDSP;

the address of its head office, or of its nominated representative; and

up-to-date contact details (including email addresses and telephone numbers).

1st November 2018, in the case of a RDSP who satisfies the conditions mentioned in regulation 1(3)(e) on the coming into force date of these Regulations, or

in any other case, the date three months after the RDSP satisfies those conditions.

has its head office outside the United Kingdom, but which offers digital services within the United Kingdom; and

is not a small or micro enterprise as defined in Commission Recommendation 2003/361/EC.

nominate in writing a representative in the United Kingdom; and

notify the Information Commissioner of the name and contact details of that representative.

in the case of a provider which is offering digital services within the United Kingdom on the coming into force date of these regulations, within three months of the date on which these regulations come into force; or

in any other case, within three months of the provider first offering digital services in the United Kingdom.

a threshold requirement described in F5... Schedule 2 is met; or

the conditions mentioned in regulation 8(3) are met.

to assess the security of the OES’s network and information systems;

to establish whether there have been any events that the authority has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

to identify any failure of the OES to comply with any duty set out in these Regulations;

to assess the implementation of the OES’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.

to assess the security of the RDSP’s network and information systems;

to establish whether there have been any events that the Commissioner has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;

to identify any failure of the RDSP to comply with any duty set out in these Regulations;

to assess the implementation of the RDSP’s security policies, including from the results of any inspection conducted under regulation 16 and any underlying evidence in relation to such an inspection.

describe the information that is required by the designated competent authority or the Information Commissioner;

provide the reasons for requesting such information;

specify the form and manner in which the requested information is to be provided; and

specify the time period within which the information must be provided.

be served by publishing it in such manner as the designated competent authority considers appropriate in order to bring it to the attention of any persons who are described in the notice as the persons from whom the information is required; and

take the form of a general request for a certain category of persons to provide the information that is specified in the notice.

conduct F53all or any part of an inspection;

appoint a person to conduct F54all or any part of an inspection on its behalf; F55...

direct the OES to appoint a person who is approved by that authority to conduct F56all or any part of an inspection on its behalf,

conduct F58all or any part of an inspection;

appoint a person to conduct F59all or any part of an inspection on its behalf; F60...

direct that a RDSP appoint a person who is approved by the Information Commissioner to conduct F61all or any part of an inspection on its behalf,

pay the reasonable costs of the inspection F63if so required by the relevant competent authority or the Information Commissioner;

co-operate with the F64inspector;

provide the inspector with F65... access to their premises F66in accordance with paragraph (5)(a);

allow the inspector to examine, print, copy or remove any document or information, and examine or remove any material or equipment, in accordance with paragraph (5)(d);

allow the inspector access to any person from whom the inspector seeks relevant information for the purposes of the inspection;

not intentionally obstruct an inspector performing their functions under these Regulations; and

comply with any request made by, or requirement of, an inspector performing their functions under these Regulations.

at any reasonable time enter the premises of an OES or RDSP (except any premises used wholly or mainly as a private dwelling) if the inspector has reasonable grounds to believe that entry to those premises may be necessary or helpful for the purpose of the inspection;

require an OES or RDSP to leave undisturbed and not to dispose of, render inaccessible or alter in any way any material, document, information, in whatever form and wherever it is held (including where it is held remotely), or equipment which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

require an OES or RDSP to produce and provide the inspector with access, for the purposes of the inspection, to any such material, document, information or equipment which is, or which the inspector considers to be, relevant to the inspection, either immediately or within such period as the inspector may specify;

examine, print, copy or remove any document or information, and examine or remove any material or equipment (including for the purposes of printing or copying any document or information) which is, or which the inspector considers to be, relevant for such period as is, or as the inspector considers to be, necessary for the purposes of the inspection;

take a statement or statements from any person;

conduct, or direct the OES or RDSP to conduct, tests;

take any other action that the inspector considers appropriate and reasonably required for the purposes of the inspection.

produce proof of the inspector’s identity if requested by any person present at the premises; and

take appropriate and proportionate measures to ensure that any material, document, information or equipment removed in accordance with paragraph (5)(d) is kept secure from unauthorised access, interference and physical damage.

must take such measures as appear to the inspector appropriate and proportionate to ensure that the ability of the OES or RDSP, as the case may be, to comply with any duty set out in these Regulations will not be affected; and

may consult such persons as appear to the inspector appropriate for the purpose of ascertaining the risks, if any, there may be in doing anything which the inspector proposes to do under that power.

sufficient particulars of that document, material or equipment for it to be identifiable; and

details of any procedures in relation to the handling or return of the document, material or equipment.

“inspector” means any person conducting all or any part of an inspection in accordance with paragraph (1) or (2).

notify it under regulation 8(2);

comply with the requirements stipulated in regulation 8A;

fulfil the security duties under regulation 10(1) and (2);

notify a NIS incident under regulation 11(1);

comply with the notification requirements stipulated in regulation 11(3);

notify an incident as required by regulation 12(9);

comply with an information notice issued under regulation 15; or

fulfil its duties under regulation 12(1) or (2);

notify an incident under regulation 12(3);

comply with the notification requirements stipulated in regulation 12(5);

comply with a direction made by the Information Commissioner under regulation 12(12);

comply with the requirements stipulated in regulation 14A;

comply with an information notice issued under regulation 15; or

the alleged failure; and

how and by when representations may be made in relation to the alleged failure and any related matters.

the reasons for serving the notice;

the alleged failure which is the subject of the notice; F79and

what steps, if any, must be taken to rectify the alleged failure and the time period during which such steps must be taken; F80...

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F82any representations submitted in accordance with paragraph F83(2A); or

any steps taken to rectify the alleged failure;

the reasons for imposing a penalty;

the sum that is F86intended to be imposed as a penalty and how it is to be paid;

the date on which the notice F87of intention to impose a penalty is given;

the period within which a penalty will be required to be paid if a penalty notice is served;

that the payment of a penalty under a penalty notice (if any) is without prejudice to the requirements of any enforcement notice (if any); and

how and when representations may be made about the content of the notice of intention to impose a penalty and any related matters.

be given in writing to the OES or RDSP;

include reasons for the final penalty decision;

specify the period within which the penalty must be paid (“the payment period”) and the date on which the payment period is to commence;

provide details of the appeal process under regulation 19A; and

specify the consequences of failing to make payment within the payment period.

the competent authority or Information Commissioner determines is appropriate and proportionate to the failure in respect of which it is imposed; and

is in accordance with paragraph (6).

not exceed £1,000,000 for any contravention which the F92NIS enforcement authority determines F93was not a material contravention;

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

not exceed £8,500,000 for a material contravention which the F95NIS enforcement authority determines F96does not meet the criteria set out in sub-paragraph (d); and

not exceed £17,000,000 for a material contravention which the F97NIS enforcement authority determines F98has or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES or RDSP.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

a decision under regulation 8(3) to designate that person as an OES;

a decision under regulation 9(1) or (2) to revoke the designation of that OES;

a decision under regulation 17(1) to serve an enforcement notice on that OES;

a decision under regulation 18(3A) to serve a penalty notice on that OES.

a decision under regulation 17(2) to serve an enforcement notice on that RDSP;

a decision under regulation 18(3B) to serve a penalty notice on that RDSP.

that the decision was based on a material error as to the facts;

that any of the procedural requirements under these Regulations in relation to the decision have not been complied with and the interests of the OES or RDSP have been substantially prejudiced by the non-compliance;

that the decision was wrong in law;

that there was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the interests of the OES or RDSP.

a decision under regulation 8(3) to designate a person as an OES;

a decision under regulation 9(1) or (2) to revoke the designation of a person as an OES;

a decision under regulation 17(1) to serve an enforcement notice;

a decision under regulation 17(2) to serve an enforcement notice;

a decision under regulation 18(3A) to serve a penalty notice; or

a decision under regulation 18(3B) to serve a penalty notice.

confirm any decision to which the appeal relates; or

quash the whole or part of any decision to which the appeal relates.

a designated competent authority for an OES has reasonable grounds to believe that the OES has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A); or

the Information Commissioner has reasonable grounds to believe that a RDSP has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A).

for an injunction to enforce the duty in regulation 17(3A);

for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

for any other appropriate remedy or relief.

for an injunction to enforce the duty in regulation 17(3A);

for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

for any other appropriate remedy or relief.

in relation to England and Wales, to be treated for the purposes of section 98 of the Courts Act 2003 M13 (register of judgments and order etc.) as if it were a judgment entered in the county court;

in relation to Northern Ireland, to be treated for the purposes of Article 116 of the Judgments Enforcement (Northern Ireland) Order 1981 M14 (register of judgments) as if it were a judgment in respect of which an application has been accepted under Article 22 or 23(1) of that Order.

a “NIS function” means a function that is carried out under these Regulations except any function under regulations 17(1) to (4) and 18 to 20; and

“enforcement authority” has the same meaning as in regulation 18(7)(b).

the Welsh Ministers must be paid into the Welsh Consolidated Fund established under section 117 of the Government of Wales Act 2006 M15; and

the Scottish Ministers or the Drinking Water Quality Regulator for Scotland, must be paid into the Scottish Consolidated Fund established under section 64 of the Scotland Act 1998 M16.

any representations made by the OES or RDSP, as the case may be, about the contravention and the reasons for it, if any;

any steps taken by the OES or RDSP to comply with the requirements set out in these Regulations;

any steps taken by the OES or RDSP to rectify the contravention;

whether the OES or RDSP had sufficient time to comply with the requirements set out in these Regulations; and

whether the contravention is also liable to enforcement under another enactment.

delivering it to that person in person;

leaving it at the person's proper address; or

sending it by post or electronic means to that person's proper address.

in any other case, a person's last known address, which includes an email address.

carry out a review of the regulatory provision contained in these Regulations F133and in EU Regulation 2018/151; and

publish a report setting out the conclusions of that review.

set out the objectives intended to be achieved by the regulatory provision referred to in paragraph (1)(a);

assess the extent to which those objectives are achieved;

assess whether those objectives remain appropriate; and

if those objectives remain appropriate, assess the extent to which they could be achieved in another way which involves less onerous regulatory provision.