The Network and Information Systems Regulations 2018

Identification of operators of essential servicesU.K.

8.—(1) If a person provides an essential service of a kind referred to in F1... Schedule 2 and that service—

(a)relies on network and information systems; and

(b)satisfies a threshold requirement described for that kind of essential service,

that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.

[F2(1A) Paragraph (1) does not apply to a network provider or service provider who is subject to the requirements of sections 105A to 105C of the Communications Act 2003 and in this paragraph “network provider” and “service provider” have the meanings given in section 105A(5) of that Act.]

(2) A person who falls within paragraph (1) must notify the designated competent authority [F3in writing] of that fact before the notification date.

[F4(2A) Each integrated care board is deemed to be designated as an OES for the healthcare settings subsector and, in relation to an integrated care board, any services provided by it (including the making of arrangements for the provision of services by others) are deemed to be essential services.]

(3) Even if a person does not meet the threshold requirement mentioned in paragraph (1)(b), a competent authority may designate that person as an OES for the subsector in relation to which that competent authority is designated under regulation 3(1), if the following conditions are met—

(a)that person provides an essential service of a kind specified in F5... Schedule 2 for the subsector in relation to which the competent authority is designated under regulation 3(1);

(b)the provision of that essential service by that person relies on network and information systems; and

(c)the competent authority concludes that an incident affecting the provision of that essential service by that person is likely to have significant disruptive effects on the provision of the essential service.

(4) In order to arrive at the conclusion mentioned in paragraph (3)(c), the competent authority must have regard to the following factors—

(a)the number of users relying on the service provided by the person;

(b)the degree of dependency of the other relevant sectors on the service provided by that person;

(c)the likely impact of incidents on the essential service provided by that person, in terms of its degree and duration, on economic and societal activities or public safety;

(d)the market share of the essential service provided by that person;

(e)the geographical area that may be affected if an incident impacts on the service provided by that person;

(f)the importance of the provision of the service by that person for maintaining a sufficient level of that service, taking into account the availability of alternative means of essential service provision;

(g)the likely consequences for national security if an incident impacts on the service provided by that person; and

(h)any other factor the competent authority considers appropriate to have regard to, in order to arrive at a conclusion under this paragraph.

(5) A competent authority must designate an OES under paragraph (3) by notice in writing served on the person who is to be designated and provide reasons for the designation in the notice.

(6) Before a competent authority designates a person as an OES under paragraph (3), the authority may—

F6(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)invite the person to submit any written representations about the proposed decision to designate it as an OES.

F7(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F8(7A) If a person has reasonable grounds to believe that they no longer fall within paragraph (1) or that the conditions for designation under paragraph (3) are no longer met in relation to them, they must as soon as practicable notify the designated competent authority in writing and provide with that notification evidence supporting that belief.

(7B) A competent authority that receives from a person a notification and supporting evidence referred to in paragraph (7A) must have regard to that notification and evidence in considering whether to revoke that person’s designation.]

(8) A competent authority must maintain a list of all the persons who are deemed to be designated under paragraph (1) [F9or (2A)] or designated under paragraph (3) for the subsectors in relation to which that competent authority is designated under regulation 3(1).

(9) The competent authority must review the list mentioned in paragraph (8) at regular intervals and in accordance with paragraph (10).

(10) The first review under paragraph (9) must take place before 9th May 2020, and subsequent reviews must take place, at least, biennially.

(11) In this regulation [F10the “notification date” means]—

(a)10th August 2018, in the case of a person who falls within paragraph (1) on the date these Regulations come into force; or

(b)in any other case, the date three months after the date on which the person falls within that paragraph.