PART 1Domestic legislation

1.  The NIS Regulations are amended as follows.

2.  In regulation 1, after the definition of “the Commission”, insert—

““EU Regulation 2018/151” means Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.”.

3.  In regulation 2—

(a)omit paragraph (6);

(b)in paragraph (7), omit “or communicating it to the Commission”.

4.  In regulation 3(3)—

(a)in subparagraph (c), omit “, including an indication of the importance of each operator in relation to the subsector in relation to which it provides an essential service”;

(b)omit subparagraph (g)(ii);

(c)after paragraph (3), insert—

“(3A) In relation to the subsector for which it is designated under paragraph (1), the competent authority may consult and co-operate with a public authority in the EU if it is in the interests of effective regulation of that subsector (whether inside or outside the United Kingdom).”.

5.  In regulation 4—

(a)for paragraph (2), substitute—

“(2) The SPOC may liaise with the relevant authorities in any Member State of the EU, the Cooperation Group and the CSIRTs network if it considers it appropriate.”;

(b)after paragraph (2), insert—

“(2A) The SPOC must—

(a)consult and co-operate, as it considers appropriate, with relevant law enforcement authorities;

(b)co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations.”;

(c)in paragraph (3)—

(i)in words before sub-paragraph (a), for “must”, substitute “may, if it considers it appropriate to do so”;

(ii)in subparagraph (b), omit “, indicating their importance in relation to that sector”;

(d)omit paragraphs (4) and (5).

6.  In regulation 5—

(a)in paragraph (2), omit subparagraph (e);

(b)for paragraph (3) substitute—

“(3) The CSIRT may co-operate with or participate in international co-operation networks (including the CSIRTs network) if the CSIRT considers it appropriate to do so.”.

7.  In regulation 6—

(a)in paragraph (1), for “the Commission and the relevant authorities in other Member States”, substitute “and public authorities in the EU”;

(b)in paragraph (2), for “the Commission or the relevant authorities in other Member States” substitute “a public authority in the EU”.

8.  Omit regulation 8(7).

9.  Omit regulation 9(5).

10.  For regulation 11(6) substitute—

“(6) After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT may inform the relevant authorities in a Member State if the CSIRT considers that the incident has a significant impact on the continuity of an essential service provision in that Member State.”.

11.  In regulation 12—

(a)in paragraph (1), for “European Union” substitute “United Kingdom”;

(b)omit paragraphs (10) and (11);

(c)in paragraph (11), for “paragraph (10)”, substitute “these Regulations”;

(d)in paragraph (14), in the opening words, for “another Member State” substitute “a Member State of the EU”;

(e)omit paragraph (17).

12.  For regulation 13 substitute—

“Co-operation with the European Union

13.  The Information Commissioner may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the Information Commissioner considers that to do so would be in the interests of effective supervision of digital service providers (whether inside or outside the United Kingdom), including in the event of an incident notified under regulation 12(3).”.

13.  In regulation 25—

(a)in paragraph (1)(a), after “these Regulations” insert “and in EU Regulation 2018/151”;

(b)omit paragraph (3).