The Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019

Regulation 2

SCHEDULEAmendments of retained EU law

PART 1Domestic legislation

1.  The NIS Regulations are amended as follows.

2.  In regulation 1, after the definition of “the Commission”, insert—

““EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.”.

3.  In regulation 2—

(a)omit paragraph (6);

(b)in paragraph (7), omit “or communicating it to the Commission”.

4.  In regulation 3(3)—

(a)in subparagraph (c), omit “, including an indication of the importance of each operator in relation to the subsector in relation to which it provides an essential service”;

(b)omit subparagraph (g)(ii);

(c)after paragraph (3), insert—

“(3A) In relation to the subsector for which it is designated under paragraph (1), the competent authority may consult and co-operate with a public authority in the EU if it is in the interests of effective regulation of that subsector (whether inside or outside the United Kingdom).”.

5.  In regulation 4—

(a)for paragraph (2), substitute—

“(2) The SPOC may liaise with the relevant authorities in any Member State of the EU, the Cooperation Group and the CSIRTs network if it considers it appropriate.”;

(b)after paragraph (2), insert—

“(2A) The SPOC must—

(a)consult and co-operate, as it considers appropriate, with relevant law enforcement authorities;

(b)co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.”;

(c)in paragraph (3)—

(i)in words before sub-paragraph (a), for “must”, substitute “may, if it considers it appropriate to do so”;

(ii)in subparagraph (b), omit “, indicating their importance in relation to that sector”;

(d)omit paragraphs (4) and (5).

6.  In regulation 5—

(a)in paragraph (2), omit subparagraph (e);

(b)for paragraph (3) substitute—

“(3) The CSIRT may co-operate with or participate in international co-operation networks (including the CSIRTs network) if the CSIRT considers it appropriate to do so.”.

7.  In regulation 6—

(a)in paragraph (1), for “the Commission and the relevant authorities in other Member States”, substitute “and public authorities in the EU”;

(b)in paragraph (2), for “the Commission or the relevant authorities in other Member States” substitute “a public authority in the EU”.

8.  Omit regulation 8(7).

9.  Omit regulation 9(5).

10.  For regulation 11(6) substitute—

“(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT may inform the relevant authorities in a Member State if the CSIRT considers that the incident has a significant impact on the continuity of an essential service provision in that Member State.”.

11.  In regulation 12—

(a)in paragraph (1), for “European Union” substitute “United Kingdom”;

(b)omit paragraphs (10) and (11);

(c)in paragraph (11), for “paragraph (10)”, substitute “these Regulations”;

(d)in paragraph (14), in the opening words, for “another Member State” substitute “a Member State of the EU”;

(e)omit paragraph (17).

12.  For regulation 13 substitute—

“Co-operation with the European Union

13.  The Information Commissioner may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the Information Commissioner considers that to do so would be in the interests of effective supervision of digital service providers (whether inside or outside the United Kingdom), including in the event of an incident notified under regulation 12(3).”.

13.  In regulation 25—

(a)in paragraph (1)(a), after “these Regulations” insert “and in EU Regulation 2018/151”;

(b)omit paragraph (3).

PART 2Retained direct EU legislation

Commission Implementing Regulation (EU) 2018/151

14.—(1) Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact is amended as follows.

(2) For “digital service provider”, in each place it occurs, substitute “RDSP”.

(3) For “digital service providers”, in each place it occurs, substitute “RDSPs”.

(4) After Article 1, insert—

“Article 1A

Interpretation

In this Regulation—

“NIS Regulations” means the Network and Information Systems Regulations 2018;

“RDSP” has the same meaning as in the NIS Regulations.”.

(5) In Article 2—

(a)In paragraph 1, for “point (a) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(i) of the NIS Regulations”;

(b)in paragraph 2, for “point (b) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(ii) of the NIS Regulations”;

(c)in paragraph 3, for “point (c) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(iii) of the NIS Regulations”;

(d)in paragraph 4, for “point (d) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(iv) of the NIS Regulations”;

(e)in paragraph 5, for “point (e) of Article 16(1) of Directive (EU) 2016/1148” substitute “regulation 12(2)(c)(v) of the NIS Regulations”.

(6) In Article 3—

(a)in paragraph 1, for “point (a) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(i) of the NIS Regulations”;

(b)in paragraph 2, for “point (b) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(ii) of the NIS Regulations”;

(c)in paragraph 3—

(i)for “point (c) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(iii) of the NIS Regulations”;

(ii)after “Member States”, insert “of the EU”;

(d)in paragraph 4, for “point (d) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(iv) of the NIS Regulations”;

(e)in paragraph 5, for “point (e) of Article 16(4) of Directive (EU) 2016/1148” substitute “regulation 12(7)(a)(v) of the NIS Regulations”.

(7) In Article 4—

(a)in paragraph 1—

(i)in point (a), before “Union” insert “European”;

(ii)in point (b), before “Union” insert “European”;

(iii)for point (d)—

(aa)before “Union” insert “European”;

(bb)for “EUR 1000 000” substitute “£880,000”;

(b)omit paragraph 2.

(8) After Article 5, omit the words from “This Regulation” to “Member States.”.

Regulation (EU) No 526/2013

15.  Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 is revoked.

Revocation of provision of EEA agreement

16.  In Annex 11 of the EEA Agreement, so far as it forms part of domestic law on and after exit day by virtue of section 3(1) of the European Union (Withdrawal) Act 2018, point 5cp is revoked insofar as it is retained EU law.