- Latest available (Revised)
- Original (As made)
There are currently no known outstanding effects for the The Network and Information Systems Regulations 2018, Section 17.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
17.—(1) [F2Subject to paragraph (2A),] the designated competent authority for an OES may serve an enforcement notice upon that OES if the F3... authority has reasonable grounds to believe that the OES has failed to—
[F4(za)notify it under regulation 8(2);
(zb)comply with the requirements stipulated in regulation 8A;]
(a)fulfil the security duties under regulation 10(1) and (2);
(b)notify a NIS incident under regulation 11(1);
(c)comply with the notification requirements stipulated in regulation 11(3);
(d)notify an incident as required by regulation 12(9);
(e)comply with an information notice issued under regulation 15; or
(f)comply with—
(i)a direction given under regulation 16(1)(c), or
(ii)the requirements stipulated in regulation 16(3).
(2) [F5Subject to paragraph (2A),] the Information Commissioner may serve an enforcement notice upon a RDSP if the Commissioner has reasonable grounds to believe that the RDSP has failed to—
(a)fulfil its duties under regulation 12(1) or (2);
(b)notify an incident under regulation 12(3);
(c)comply with the notification requirements stipulated in regulation 12(5);
(d)comply with a direction made by the Information Commissioner under regulation 12(12);
[F6(da)comply with the requirements stipulated in regulation 14A;]
(e)comply with an information notice issued under regulation 15; or
(f)comply with—
(i)a direction given under regulation 16(2)(c), or
(ii)the requirements stipulated in regulation 16(3).
[F7(2A) Before serving an enforcement notice under paragraph (1) or (2), the relevant competent authority or the Information Commissioner must inform the OES or RDSP, in such form and manner as it considers appropriate having regard to the facts and circumstances of the case, of—
(a)the alleged failure; and
(b)how and by when representations may be made in relation to the alleged failure and any related matters.
(2B) When the relevant competent authority or the Information Commissioner informs the OES or RDSP in accordance with paragraph (2A), it may also provide notice of its intention to serve an enforcement notice.
(2C) The relevant competent authority or the Information Commissioner may serve an enforcement notice on the OES or RDSP within a reasonable time, irrespective of whether it has provided any notice in accordance with paragraph (2B), having regard to the facts and circumstances of the case, after it has informed the OES or RDSP in accordance with paragraph (2A).
(2D) The relevant competent authority or the Information Commissioner must have regard to any representations made under paragraph (2A)(b).]
(3) An enforcement notice that is served under paragraph (1) or (2) must be in writing and must specify the following—
(a)the reasons for serving the notice;
(b)the alleged failure which is the subject of the notice; [F8and]
(c)what steps, if any, must be taken to rectify the alleged failure and the time period during which such steps must be taken; F9...
F9(d). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[F10(3A) An OES or RDSP upon whom an enforcement notice has been served under paragraph (1) or (2) must comply with the requirements, if any, of the notice regardless of whether the OES or RDSP has paid any penalty imposed on it under regulation 18.]
(4) If the relevant competent authority or Information Commissioner is satisfied that no further action is required, having considered—
(a)[F11any] representations submitted in accordance with paragraph [F12(2A)]; or
(b)any steps taken to rectify the alleged failure;
it must inform the OES or the RDSP, as the case may be, in writing, as soon as reasonably practicable.
(5) The OES or RDSP may request reasons for a decision to take no further action under paragraph (4) within 28 days of being informed of that decision.
(6) Upon receipt of a request under paragraph (5), the relevant competent authority or Information Commissioner must provide written reasons for a decision under paragraph (4) within a reasonable time and in any event no later than 28 days.
Textual Amendments
F1Word in reg. 17 heading inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(a) (with reg. 21)
F2Words in reg. 17(1) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(b)(i)(aa) (with reg. 21)
F3Word in reg. 17(1) omitted (31.12.2020) by virtue of The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(b)(i)(bb) (with reg. 21)
F4Reg. 17(1)(za)(zb) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(b)(ii) (with reg. 21)
F5Words in reg. 17(2) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(c)(i) (with reg. 21)
F6Reg. 17(2)(da) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(c)(ii) (with reg. 21)
F7Reg. 17(2A)-(2D) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(d) (with reg. 21)
F8Word in reg. 17(3) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(e)(i) (with reg. 21)
F9Reg. 17(3)(d) and word omitted (31.12.2020) by virtue of The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(e)(ii) (with reg. 21)
F10Reg. 17(3A) inserted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(f) (with reg. 21)
F11Word in reg. 17(4)(a) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(g)(i) (with reg. 21)
F12Word in reg. 17(4)(a) substituted (31.12.2020) by The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (S.I. 2020/1245), regs. 1(1), 13(g)(ii) (with reg. 21)
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: