The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020
| Jurisdiction | UK Non-devolved |
| Citation | SI 2020/1245 |
2020 No. 1245
Electronic Communications
The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020
Made 5th November 2020
Laid before Parliament 10th November 2020
Coming into force 31th December 2020
The Secretary of State is a Minister designated1for the purposes of section 2(2) of the European Communities Act 19722(“the 1972 Act”) in relation to electronic communications.
The Secretary of State makes the following Regulations in exercise of the powers conferred by section 2(2) of the 1972 Act.
Citation, commencement, application and interpretation
1.—(1) These Regulations may be cited as the Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 and come into force on 31st December 2020.
(2) These Regulations apply to—
(a)
(a) the United Kingdom, including its internal waters;
(b)
(b) the territorial sea adjacent to the United Kingdom; and
(c)
(c) the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 19643.
(3) In these Regulations, “the 2018 Regulations” means the Network and Information Systems Regulations 20184.
Amendment of the 2018 Regulations
2. The 2018 Regulations are amended in accordance with regulations 3 to 20.
Amendments to regulation 1 (citation, commencement, interpretation and application)
3. In regulation 1—
(a) in paragraph (2)—
(i) insert the following definitions in the appropriate places—
““First-tier Tribunal” has the meaning given by section 3(1) of the Tribunals, Courts and Enforcement Act 20075”;
““OES” (“operator of an essential service”) means a person who is deemed to be designated as an operator of an essential service under regulation 8(1) or is designated as an operator of an essential service under regulation 8(3);”;
(ii) omit the definition of “operator of an essential service”;
(b) in paragraph (3)(d)—
(i) for “an operator of an essential service” substitute “an OES”;
(ii) for “that operator” substitute “that OES”.
Amendments to regulation 6 (information sharing - enforcement authorities)
4. In regulation 6—
(a) in paragraph (1)—
(i) in the opening text, after “with” insert “each other, relevant law-enforcement authorities,”;
(ii) for sub-paragraph (a) substitute—
“(a)
“(a) necessary for—
the purposes of these Regulations or of facilitating the performance of any functions of a NIS enforcement authority under or by virtue of these Regulations or any other enactment;
national security purposes; or
purposes related to the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution;”;
(b) after paragraph (1), insert—
“1A. Information shared under paragraph (1) may not be further shared by the person with whom it is shared under that paragraph for any purpose other than a purpose mentioned in that paragraph unless otherwise agreed by the NIS enforcement authority.”.
Amendments to regulation 8 (identification of operators of essential services)
5. In regulation 8—
(a) after paragraph (1), insert—
“1A. Paragraph (1) does not apply to a network provider or service provider who is subject to the requirements of sections 105A to 105C of the Communications Act 20036and in this paragraph “network provider” and “service provider” have the meanings given in section 105A(5) of that Act.”;
(b) in paragraph (2), after “authority” insert “in writing”;
(c) in paragraph (6), omit sub-paragraph (a) and “and” after it;
(d) after paragraph (7), insert—
“7A. If a person has reasonable grounds to believe that they no longer fall within paragraph (1) or that the conditions for designation under paragraph (3) are no longer met in relation to them, they must as soon as practicable notify the designated competent authority in writing and provide with that notification evidence supporting that belief.
7B. A competent authority that receives from a person a notification and supporting evidence referred to in paragraph (7A) must have regard to that notification and evidence in considering whether to revoke that person’s designation.”.
Insertion of regulation 8A
6. After regulation 8, insert—
“Nomination by an OES of a person to act on its behalf in the United Kingdom
8A. (1) This regulation applies to any OES7who has their head office outside the United Kingdom and—
(a)
(a) provides an essential service of a kind referred to in one or more of paragraphs 1, 2, 3 and 10 of Schedule 2 (energy or digital infrastructure sector) within the United Kingdom; or
(b)
(b) provides an essential service of a kind referred to in one or more of paragraphs 4 to 9 of Schedule 2 (transport, health or drinking water supply and distribution sector) within the United Kingdom and falls within paragraph (2).
(2) An OES falls within this paragraph if they have received a notice in writing from a designated competent authority for the OES requiring them to comply with this regulation.
(3) An OES to whom this regulation applies must—
(a)
(a) nominate in writing a person in the United Kingdom with the authority to act on their behalf under these Regulations, including for the service of documents for the purposes of regulation 24 (a “nominated person”);
(b)
(b) before the relevant date, notify the designated competent authority for the OES in writing of—
their name;
the name and address of the nominated person; and
up-to-date contact details of the nominated person (including email addresses and telephone numbers).
(4) The OES must notify the designated competent authority for the OES of any changes to the information notified under paragraph (3)(b) as soon as practicable and in any event within seven days beginning with the day on which the change took effect.
(5) The designated competent authority for the OES and GCHQ may, for the purposes of carrying out their responsibilities under these Regulations, contact the nominated person instead of or in addition to the OES.
(6) A nomination under paragraph (3) is without prejudice to any legal action which could be initiated against the OES.
(7) In this regulation, “relevant date” means the date three months after—
(a)
(a) the first day (including that day) on which the OES was deemed to be designated as an OES under regulation 8(1); or
(b)
(b) the day (including that day) on which the OES was designated as an OES under regulation 8(3),
unless the first day referred to in sub-paragraph (a) or the day referred to in sub-paragraph (b) was before 31st December 2020 in which case it means 31st March 2021.”.
Amendments to regulation 9 (revocation)
7. In regulation 9—
(a) in paragraph (1)—
(i) for the words from “satisfies” to “competent authority” substitute “is deemed to be designated as an OES under regulation 8(1), the designated competent authority for the OES”;
(ii) for “of that person, by notice” substitute “, by notice in writing”;
(b) in paragraph (2)—
(i) for the words from the beginning to “a person” substitute “The designated competent authority for an OES may revoke the designation of that OES”;
(ii) after “notice” insert “in writing”;
(c) in paragraph (3), in the opening text, after “a person”, in both places those words occur, insert “as an OES”.
Amendment to regulation 11 (duty to notify incidents)
8. In regulation 11(1), after “authority” insert “for the OES in writing”.
Amendments to regulation 12 (relevant digital service providers)
9. In regulation 12—
(a) in paragraph (3), after “Commissioner” insert “in writing”;
(b) in paragraph (5)—
(i) for sub-paragraph (a) substitute—
“(a)
“(a) the RDSP’s8name and the digital services that it provides;”;
(ii) in each of sub-paragraphs (b) to (e), omit “NIS”;
(iii) in sub-paragraph (f), for “competent authority” substitute “Information Commissioner”;
(c) in paragraph (6)(a), after “RDSP is” insert “first”;
(d) in paragraph (9)—
(i) for “relevant competent authority” substitute “designated competent authority for the OES in writing”;
(ii) for “as soon as it occurs” substitute “without undue delay”;
(e) in paragraph (12), in the closing text, after “incident or” insert “the Commissioner may”.
Amendment to regulation 14 (registration with the Information Commissioner)
10. In regulation 14(3), after “Commissioner” insert “in writing”.
Amendments to regulation 15 (information notices)
11. In regulation 15—
(a) in paragraph (1), in the opening text—
(i) after “notice” insert “in writing”;
(ii) for “information that” substitute “all such information as”;
(b) in paragraph (2)—
(i) in the opening text—
(aa) after “notice” insert “in writing”;
(bb) for “that person” substitute “the OES”;
(cc) for “information that” substitute “all such information as”;
(dd) for “to assess” substitute “for one or more of the following purposes”;
(ii) for sub-paragraphs (a) and (b) substitute—
“(a)
“(a) to assess the security of the OES’s network and information systems;
(b)
(b) to establish whether there have been any events that the authority has reasonable grounds to believe have had, or could have, an adverse effect on the security of network and information systems and the nature and impact of those events;
(c)
(c) to identify any failure of the OES to comply with any duty set out in these Regulations;
(d)
(d) to assess the implementation of...
To continue reading
Request your trial