ReviewsU.K.
11. A network provider or service provider must—
(a)undertake regular reviews of the provider’s security measures in relation to the public electronic communications network or public electronic communications service, taking into account relevant developments relating to the risks of security compromises occurring, and
(b)undertake at least once in any period of 12 months a review of the risks of security compromises occurring in relation to the network or service in order to produce a written assessment of the extent of the overall risk of security compromises occurring within the next 12 months, taking into account—
(i)in the case of a network provider, risks identified under regulation 3(3)(a),
(ii)risks identified under regulation 5(2),
(iii)risks identified under regulation 6(1),
(iv)risks identified under regulation 7(1),
(v)risks identified under regulation 10(4),
(vi)the results of reviews carried out in accordance with sub-paragraph (a),
(vii)the results of tests carried out in accordance with regulation 14, and
(viii)any other relevant information.