A bill to Make provision, including provision amending the Network and Information Systems Regulations 2018, about the security and resilience of network and information systems used or relied on in connection with the carrying on of essential activities.
Be it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—
Part 1 — Introduction¶
1 Meaning of “the NIS Regulations”¶
In this Act, “the NIS Regulations” means the Network and Information Systems Regulations 2018 (S.I. 2018/506).2 Overview of Act¶
Part 2 — The NIS Regulations¶
Chapter 1 — Persons regulated under the NIS Regulations¶
Operators of essential services¶
3 Identification of operators of essential services¶
(1ZA) Paragraph (1) applies to a person whether or not the person is established in the United Kingdom.
(1A) Paragraph (1) does not apply to a person in relation to the provision by the person of a public electronic communications network or a public electronic communications service (in each case as defined by section 151(1) of the Communications Act 2003).
(3A) A person may be designated under paragraph (3) whether or not the person is established in the United Kingdom.
4 Data centres to be regulated as essential services¶
.Data infrastructure
Data infrastructure
The Office of Communications (United Kingdom)
The data infrastructure subsector
11. (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the data infrastructure subsector. (2) For the essential service of the provision of a data centre service in the United Kingdom, otherwise than on an enterprise basis, the threshold requirement is that the rated IT load of the data centre is equal to or greater than 1 megawatt. (3) For the essential service of the provision of a data centre service in the United Kingdom on an enterprise basis, the threshold requirement is that the rated IT load of the data centre is equal to or greater than 10 megawatts. (4) “Data centre service” means a service consisting of the provision of a physical structure (a “data centre”) which— (a) contains an area for the housing, connection and operation of relevant IT equipment, and (b) provides supporting infrastructure for or in connection with the operation of relevant IT equipment. (5) “Relevant IT equipment” means equipment used for the purposes of providing information technology services. (6) “Supporting infrastructure” means one or more of the following— (a) infrastructure for the supply of electricity; (b) infrastructure for environmental control; (c) infrastructure to ensure the security of the data centre and of relevant IT equipment in the data centre; (d) infrastructure to ensure the resilience of the data centre and of relevant IT equipment in the data centre. (7) A data centre service is provided on an enterprise basis if— (a) the data centre is owned or managed by a person in connection with the carrying on of an undertaking by the person, and (b) the sole purpose of the data centre is to provide information technology services for that undertaking. (8) In this paragraph— (a) “environmental control” includes heating, ventilation, air conditioning and control of matters such as airborne dust, humidity and flames; (b) the “rated IT load” of a data centre is the maximum electrical power available for the operation of relevant IT equipment housed in the data centre; (c) “structure” includes a building or part of a building, and references to a structure include references to a group of structures.
5 Operators of data centre services: Crown application etc¶
In regulation 8 of the NIS Regulations (identification of operators of essential services), before paragraph (7A) insert—(7ZA) Subject to paragraph (7ZB), paragraphs (1) and (3) apply in relation to the provision of an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2 (a “data centre service”) by or on behalf of the Crown. (7ZB) Paragraphs (1) and (3) do not apply in relation to the provision of a data centre service by or on behalf of the Crown— (a) where the person providing the service is the Security Service, the Secret Intelligence Service or GCHQ, or (b) to the extent that the service— (i) is provided by a person on a commercial basis on behalf of His Majesty’s Government, and (ii) is provided for the purpose of enabling the storage, processing or transmission of information or other material which is classified as “secret” or “top secret” in accordance with the policy of His Majesty’s Government on security classification of documents.
6 Designation of large load controllers as operators of an essential service¶
(5A) For the essential service of load control, the threshold requirement in the United Kingdom is a load controller whose potential electrical control, in relation to relevant ESAs managed by the controller, is equal to or greater than 300 megawatts. (5B) For the purposes of sub-paragraph (5A), a load controller’s potential electrical control, in relation to relevant ESAs managed by it, is the aggregate of— (a) the maximum flow of electricity into all of those relevant ESAs (taken together), and (b) the maximum flow of electricity out of all of those relevant ESAs (taken together), which is capable of being achieved in response to load control signals sent by the load controller.(5C) For the purposes of this paragraph— (a) “relevant ESA” means an energy smart appliance (as defined by section 238(2) of the Energy Act 2023) which is any of the following— (i) an electric vehicle; (ii) a charge point (for electric vehicles); (iii) an electrical heating appliance; (iv) a battery energy storage system; (v) a virtual power plant; (b) a relevant ESA is “managed” by a person if the person controls the flow of electricity into and out of the relevant ESA by way of load control signals sent by the person to the relevant ESA; (c) the maximum flow of electricity into or out of a particular relevant ESA is to be determined by reference to the electrical capacity of the relevant ESA as stated by the manufacturer of the relevant ESA. (5D) Where load control signals are sent to a relevant ESA by a person (an “intermediary”) acting under the direction of or on behalf of a load controller, that relevant ESA is to be treated for the purposes of this paragraph as managed by the load controller (and not by the intermediary) unless sub-paragraph (5E) applies. (5E) Where the intermediary is capable of adjusting or processing the load control signals sent to a relevant ESA, and is authorised by the load controller to do so— (a) the relevant ESA is to be treated for the purposes of this paragraph as managed by both the load controller and the intermediary, and (b) the intermediary is also to be treated for those purposes as a load controller.
;(aa) “charge point” has the same meaning as in Part 2 of the Automated and Electric Vehicles Act 2018 (see section 9 of that Act);
;(ca) “electric vehicle” means a vehicle which is capable of being propelled by electrical power derived from a storage battery; (cb) “electrical heating appliance” means any of the following— (i) a hydronic heat pump; (ii) a hot water heat pump; (iii) a hybrid heat pump; (iv) a direct electric hot water cylinder; (v) an electric storage heater; (vi) a heat battery;
.(ga) “load control” and “load control signal” have the same meaning as in Part 9 of the Energy Act 2023 (see section 238 of that Act), and “load controller” means a person which provides the service of load control;
Providers of digital services¶
7 Digital services¶
.cloud computing service means a digital service— (a) which enables access to a scalable and elastic pool of shareable computing resources (such as networks, servers, software and storage) where— (i) there is broad remote access to the service, (ii) the service is capable of being provided on demand and on a self-service basis, (iii) the pool of computing resources may be distributed across two or more locations, and (iv) the service is not provided by a person solely for use for the purposes of a business or other activity carried on for that person, and (b) which is not a managed service;
.relevant digital service means an online marketplace, an online search engine or a cloud computing service;
(2A) For the purposes of the definition of “cloud computing service” in paragraph (2)— (a) “broad remote access” means the ability to access and use the service from any authorised location or facility, by means of any capable device or platform (including a computer or mobile device); (b) a pool of computing resources is “scalable” if the resources are flexibly allocated by the provider of the service, irrespective of the geographical location of the resources, in order to handle fluctuations in demand; (c) a pool of computing resources is “elastic” if the resources are provided and released according to demand, in order to rapidly increase and decrease available resources depending on workload; (d) computing resources are “shareable” if— (i) multiple users share a common access to the service, which is provided from the same electronic equipment, and (ii) processing is carried out separately for each user.
.(e) a “relevant digital service provider” (“RDSP”) is a reference to a person which— (i) provides a relevant digital service in the United Kingdom (whether or not the person is established in the United Kingdom), (ii) is not designated under regulation 14H in relation to the provision of that service, (iii) is not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC, and (iv) either— (aa) is not subject to public authority oversight, or (bb) is subject to public authority oversight but derives more than half of its income from activities of a commercial nature;
(3A) A person does not provide a relevant digital service by virtue of providing a public electronic communications network or a public electronic communications service (in each case as defined by section 151(1) of the Communications Act 2003).
8 Duties of relevant digital service providers¶
(2A) An RDSP must have regard to any relevant guidance issued by the Information Commission when carrying out the duties imposed on it by paragraph (1).
Providers of managed services¶
9 Managed service providers¶
.managed service has the meaning given by paragraph (3B);
.(ea) a “relevant managed service provider” (“RMSP”) is a reference to a person which— (i) provides a managed service in the United Kingdom (whether or not the person is established in the United Kingdom), (ii) is not designated under regulation 14H in relation to the provision of that service, (iii) is not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC, and (iv) either— (aa) is not subject to public authority oversight, or (bb) is subject to public authority oversight but derives more than half its income from activities of a commercial nature;
(3B) “Managed service” means a service which— (a) is provided by a person (“P”) under a contract entered into by P and another person (“the customer”) for the provision of ongoing management of information technology systems for the customer (whether in the form of support and maintenance, monitoring, active administration or other activities), and (b) is provided to the customer by means of P, or a person acting on P’s behalf, connecting to or otherwise obtaining access to network and information systems relied on by the customer in connection with a business or other activity carried on by the customer. (3C) For the purposes of paragraph (3B)(b), it does not matter whether the connection or access to the network and information systems in question is established or obtained on the customer’s premises or remotely. (3D) A person does not provide a managed service by virtue of providing— (a) a data centre service (as defined by paragraph 11(4) of Schedule 2), or (b) a public electronic communications network or a public electronic communications service (in each case as defined by section 151(1) of the Communications Act 2003).
10 Duties of managed service providers to manage risks¶
After regulation 14A of the NIS Regulations insert—Part 4A — Relevant managed service providers
14B. — RMSPs: duties to manage risks to network and information systems
(1) An RMSP must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies for the purpose of providing managed services within the United Kingdom. (2) The measures taken by an RMSP under paragraph (1) must— (a) (having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed, and (b) prevent and minimise the impact of incidents affecting the security of network and information systems referred to in paragraph (1). (3) An RMSP must have regard to any relevant guidance issued by the Information Commission when carrying out the duties imposed on it by paragraph (1).
Persons subject to public authority oversight¶
11 Digital or managed service providers: meaning of “subject to public authority oversight”¶
In regulation 1 of the NIS Regulations, after paragraph (3D) (inserted by section 9(5)) insert—(3E) For the purposes of paragraph (3)(e) and (ea), a person is subject to public authority oversight if the person is subject to the management or control of— (a) one or more UK public authorities, or (b) a board more than half of the members of which are appointed by one or more UK public authorities. In this paragraph, “UK public authority” means a person exercising functions of a public nature in the United Kingdom.
Critical suppliers¶
12 Critical suppliers¶
.critical supplier means a person for the time being designated under regulation 14H;
Part 4B — Critical suppliers
14H. — Designation of critical suppliers
(1) A designated competent authority may designate a person (“P”) under this regulation if— (a) P supplies goods or services directly to an OES for which the authority is the designated competent authority, (b) P relies on network and information systems for the purposes of that supply, (c) the designated competent authority considers that— (i) an incident affecting the operation or security of any network and information system relied on by P for the purposes of that supply has the potential to cause disruption to— (aa) the provision of any essential service by the person to which the supply is made, or (bb) the provision of essential services, relevant digital services or managed services (whether of a particular kind or generally) by persons to which P supplies goods or services, and (ii) any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom, and (d) the designation is not prevented by regulation 14I. (2) The Information Commission may designate a person (“P”) under this regulation if— (a) P supplies goods or services directly to an RDSP or an RMSP, (b) P relies on network and information systems for the purposes of that supply, (c) the Information Commission considers that— (i) an incident affecting the operation or security of any network and information system relied on by P for the purposes of that supply has the potential to cause disruption to— (aa) the provision of any relevant digital service or managed service by the person to which the supply is made, or (bb) the provision of essential services, relevant digital services or managed services (whether of a particular kind or generally) by persons to which P supplies goods or services, and (ii) any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom, and (d) the designation is not prevented by regulation 14I. (3) In reaching a conclusion for the purposes of paragraph (1)(c)(i) or (2)(c)(i), a designated competent authority or the Information Commission must, in particular, have regard to whether the OES, RDSP or RMSP to which the supply is made by P is likely to be able to obtain the goods or services mentioned in paragraph (1)(a) or (2)(a) (as the case may be) from an alternative source in the event of any such incident. (4) In reaching a conclusion for the purposes of paragraph (1)(c)(ii) or (2)(c)(ii), a designated competent authority or the Information Commission must, in particular, have regard to the likely nature, scale and duration of the potential disruption to the provision of the service or services (as the case may be). (5) A person may be designated under this regulation— (a) by more than one designated competent authority; (b) by one or more designated competent authorities and the Information Commission. (6) In considering whether to designate a person (“P”) under this regulation, a designated competent authority or the Information Commission must, in particular, consider— (a) whether the risks that relate to P’s supply of goods or services to an OES, an RDSP or an RMSP (as the case may be) could, if the designation were not made, be adequately managed through the duties imposed on that OES, RDSP or RMSP by these Regulations; (b) whether another person exercises regulatory functions in relation to P (whether or not under these Regulations) and, if so, whether that is likely to be adequate for the management of those risks. (7) A person may be designated under this regulation whether or not the person is established in the United Kingdom. (8) In this regulation, references to the supply of goods or services include the supply of goods or services outside the United Kingdom (as well as within it). 14I. — Restrictions on designation
A person may not be designated under regulation 14H—(a) in relation to the provision of an essential service for a subsector for which the person is deemed to be designated under regulation 8(1) or (2A) or is designated under regulation 8(3), (b) in relation to the provision of a relevant digital service by virtue of which the person is an RDSP, or (c) in relation to the provision of a managed service by virtue of which the person is an RMSP. 14J. — Designation: consultation and procedure
(1) Before designating a person (“P”) under regulation 14H, a designated competent authority or the Information Commission must— (a) consult the persons mentioned in paragraph (2) in relation to the proposed designation, (b) give notice in writing to P which— (i) provides reasons for the proposed designation, and (ii) specifies a reasonable period within which P may make written representations about the proposed designation, and (c) have regard to any representations made to it in accordance with sub-paragraph (b)(ii). (2) The persons to be consulted under paragraph (1)(a) are— (a) in the case of a proposed designation by a designated competent authority (“the consulting authority”)— (i) any other designated competent authority which the consulting authority considers has a relevant connection with P, and (ii) the Information Commission, if the consulting authority considers that the Information Commission has a relevant connection with P, (b) in the case of a proposed designation by the Information Commission, any designated competent authority which the Information Commission considers has a relevant connection with P, and (c) in any case, such other persons as the designated competent authority or the Information Commission (as the case may be) considers appropriate. (3) For the purposes of paragraph (2)(b)— (a) a designated competent authority has a relevant connection with P if— (i) P is for the time being designated by that authority under regulation 14H, or (ii) the authority is the designated competent authority for an OES to which P supplies goods or services directly; (b) the Information Commission has a relevant connection with P if— (i) P is for the time being designated by the Information Commission under regulation 14H, or (ii) P supplies goods or services directly to an RDSP or an RMSP. (4) Paragraph (5) applies where, after complying with paragraph (1) in relation to a person, a designated competent authority or the Information Commission decides to designate the person under regulation 14H. (5) The designated competent authority or the Information Commission (as the case may be) must— (a) give the person a notice confirming the decision, setting out— (i) the reasons for the decision, and (ii) the date on which the designation takes effect, and (b) give a copy of the notice to the persons consulted under paragraph (1)(a). (6) A designated competent authority or the Information Commission may provide for the date from which a designation under regulation 14H made by it has effect to be a date later than the date set out in the notice under paragraph (5)(a) by giving notice of the new date to all persons to which the original notice was given. 14K. — Revocation of designation
(1) Where a designated competent authority has designated a person under regulation 14H, the authority may revoke the designation if it considers that sub-paragraphs (a) to (d) of regulation 14H(1) are not met in relation to the person. (2) Where the Information Commission has designated a person under regulation 14H, the Information Commission may revoke the designation if it considers that sub-paragraphs (a) to (d) of regulation 14H(2) are not met in relation to the person. (3) Where a person (“P”) for the time being designated under regulation 14H by a designated competent authority has reasonable grounds to believe that if P were not already designated by that authority, the authority would not be able to designate P under regulation 14H, P must, as soon as practicable— (a) notify the authority of that belief in writing, providing evidence in support of that belief, and (b) where P believes that their designation would be prevented by regulation 14I(b) or (c), also notify the Information Commission. (4) Where a designated competent authority receives a notification and supporting evidence under paragraph (3)(a) from a person, it must have regard to the notification and evidence in considering whether to revoke the person’s designation under regulation 14H. (5) Where a person (“P”) for the time being designated under regulation 14H by the Information Commission has reasonable grounds to believe that if P were not already designated by the Information Commission, the Information Commission would not be able to designate P under regulation 14H, P must, as soon as practicable, notify the Information Commission of that belief in writing, providing evidence in support of that belief. (6) Where the Information Commission receives a notification and supporting evidence under paragraph (5) from a person, it must have regard to the notification and evidence in considering whether to revoke the person’s designation under regulation 14H. (7) Regulation 14J (consultation and procedure) applies in relation to the revocation of a person’s designation under this regulation as it applies in relation to the designation of a person under regulation 14H. 14L. — Co-ordination
(1) A designated competent authority by which a person (“P”) is for the time being designated under regulation 14H must co-ordinate the exercise of its functions under these Regulations in relation to P with— (a) any other designated competent authority by which P is for the time being designated under regulation 14H, and (b) the Information Commission, where P is for the time being designated under regulation 14H by the Information Commission. (2) Where a person (“P”) is for the time being designated under regulation 14H by the Information Commission, the Information Commission must co-ordinate the exercise of its functions under these Regulations in relation to P with any designated competent authority by which P is for the time being designated under that regulation. (3) The relevant regulators must co-ordinate the exercise of their functions under these Regulations so far as those functions relate to determining— (a) whether a person meets the requirements for designation under regulation 14H, and (b) where a person meets those requirements— (i) whether the person should be designated under regulation 14H, and (ii) if so, by which one or more of the relevant regulators the designation should be made. (4) For the purposes of paragraph (3)— (a) a designated competent authority is a relevant regulator in relation to a person if— (i) the person is for the time being designated by that designated competent authority, or (ii) it is reasonable to assume that the person may meet the requirements for designation under regulation 14H by that designated competent authority; (b) the Information Commission is a relevant regulator in relation to a person if— (i) the person is for the time being designated by the Information Commission, or (ii) it is reasonable to assume that the person may meet the requirements for designation under regulation 14H by the Information Commission. (5) In complying with a duty under any of paragraphs (1) to (3), the designated competent authority or the Information Commission (as the case may be) must exercise its power under regulation 15 to request information from any person with which it is required to co-ordinate if the designated competent authority or the Information Commission considers that the person may be expected to have information that is relevant to the duty in question. (6) A duty imposed by any of paragraphs (1) to (3) does not apply to the extent that compliance with the duty would impose a burden on the designated competent authority or the Information Commission (as the case may be) that is disproportionate to the benefits of compliance. (7) Nothing in this regulation limits or otherwise affects the application of the consultation and co-operation duties that apply— (a) to a designated competent authority under regulation 3(3)(g), and (b) to the Information Commission under regulation 3(4)(c). (8) For the purposes of this regulation, a person meets the requirements for designation under regulation 14H if— (a) sub-paragraphs (a) to (d) of regulation 14H(1) are met in relation to the person, or (b) sub-paragraphs (a) to (d) of regulation 14H(2) are met in relation to the person.
Chapter 2 — Provision of information and reporting of incidents¶
Information to be provided by regulated persons¶
13 Provision of information by operators of data centre services¶
8ZA. — Operators of data centre services: information to be provided in connection with designation
(1) This regulation applies to a person which— (a) is deemed to be designated under regulation 8(1) as an OES for the data infrastructure subsector in relation to the provision of a data centre service, or (b) is designated under regulation 8(3) as an OES for the data infrastructure subsector in relation to the provision of a data centre service. (2) The person must, before the end of the relevant 3-month period, provide the information listed in paragraph (3) to the designated competent authority for the purpose of enabling the authority to maintain the list mentioned in regulation 8(8). (3) The information is— (a) the person’s name; (b) the person’s proper address; (c) where the person is a body corporate, the names of the directors of that body; (d) where the person is a partnership (including a Scottish partnership), the names of the partners or persons having control or management of the partnership business; (e) up-to-date contact details (including email addresses and telephone numbers). (4) “The relevant 3-month period” is the period of 3 months beginning with— (a) where the person is deemed to be designated as mentioned in paragraph (1)(a), the first day on which the person was deemed to be so designated; (b) where the person is designated as mentioned in paragraph (1)(b), the day on which the notice under regulation 8(5) was served on the person in relation to the designation. (5) For the purposes of paragraph (3)(b), a person’s “proper address” is— (a) where the person is a body corporate, the address of the registered or principal office of that body; (b) where the person is a partnership (including a Scottish partnership), the address of the principal office of the partnership; (c) in any other case, the address where the person will accept service of documents for the purposes of these Regulations. (6) The person must notify the designated competent authority in writing of any change to the information listed in paragraph (3) as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with the day on which the change took effect. (7) In this regulation, “data centre service” means an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2.
14 Provision of information by providers of digital or managed services etc¶
;(b) the RDSP’s proper address; (ba) where the RDSP is a body corporate, the names of the directors of that body; (bb) where the RDSP is a partnership (including a Scottish partnership), the names of the partners or persons having control or management of the partnership business; (bc) which relevant digital services the RDSP provides;
;(2A) For the purposes of paragraph (2)(b), an RDSP’s “proper address” is— (a) where the RDSP is a body corporate, the address of the registered or principal office of that body; (b) where the RDSP is a partnership (including a Scottish partnership), the address of the principal office of the partnership; (c) in any other case, the address where the RDSP will accept service of documents for the purposes of these Regulations.
;(4) In this regulation, the registration date means— (a) where the conditions mentioned in regulation 1(3)(e) are satisfied in respect of an RDSP on the day on which section 14 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, the date on which the period of 3 months beginning with that day ends; (b) in any other case, the date on which the period of 3 months beginning with the day on which the conditions mentioned in regulation 1(3)(e) are first satisfied in respect of the RDSP ends.
(5) The Information Commission must send a copy of the register maintained under paragraph (1) to GCHQ for the purpose of facilitating the exercise by GCHQ of any of its functions under or by virtue of these Regulations or any other enactment— (a) before the end of the period of 4 months beginning with the day on which section 14 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, and (b) subsequently, at annual intervals.
(1) This regulation applies to an RDSP which has its principal office outside the United Kingdom.
(3) The RDSP must comply with paragraph (2)— (a) where this regulation applies to the RDSP on the day on which section 14 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, before the end of the period of 3 months beginning with that day; (b) in any other case, before the end of the period of 3 months beginning with the day on which the RDSP becomes an RDSP to which this regulation applies (whether for the first time or on a subsequent occasion). (3A) The RDSP must notify the Information Commission of any change to the information notified under paragraph (2) as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with— (a) where the change is to the representative nominated, the day on which the change took effect; (b) where the change is to the representative’s name or contact details, the day on which the RDSP became aware of the change. (4) The Information Commission or GCHQ may, for the purposes of carrying out their functions under these Regulations, contact the representative instead of or in addition to the RDSP.
14C. — Registration of RMSPs with the Information Commission
(1) The Information Commission must maintain a register of all RMSPs that have been notified to it. (2) An RMSP must submit the following details to the Information Commission before the registration date for the purpose of enabling the Commission to maintain the register under paragraph (1)— (a) the name of the RMSP; (b) the RMSP’s proper address; (c) where the RMSP is a body corporate, the names of the directors of that body; (d) where the RMSP is a partnership (including a Scottish partnership), the names of the partners or persons having control or management of the partnership business; (e) up-to-date contact details (including email addresses and telephone numbers). (3) For the purposes of paragraph (2)(b), an RMSP’s “proper address” is— (a) where the RMSP is a body corporate, the address of the registered or principal office of that body; (b) where the RMSP is a partnership (including a Scottish partnership), the address of the principal office of the partnership; (c) in any other case, the address where the RMSP will accept service of documents for the purposes of these Regulations. (4) “The registration date” means— (a) where the conditions mentioned in regulation 1(3)(ea) are satisfied in respect of an RMSP on the day on which section 14 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, the date on which the period of 3 months beginning with that day ends; (b) in any other case, the date on which the period of 3 months beginning with the day on which the conditions mentioned in regulation 1(3)(ea) are first satisfied in respect of the RMSP ends. (5) An RMSP must notify the Information Commission in writing of any change to the information listed in paragraph (2) as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with the day on which the change took effect. (6) The Information Commission must send a copy of the register maintained under paragraph (1) to GCHQ for the purpose of facilitating the exercise by GCHQ of any of its functions under or by virtue of these Regulations or any other enactment— (a) before the end of the period of 4 months beginning with the day on which section 14 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, and (b) subsequently, at annual intervals. 14D. — Representatives of RMSPs established outside the United Kingdom
(1) This regulation applies to an RMSP which has its principal office outside the United Kingdom. (2) The RMSP must— (a) nominate in writing a representative in the United Kingdom, and (b) notify the Information Commission of the representative’s name and contact details (including an email address and telephone number). (3) The RMSP must comply with paragraph (2)— (a) where this regulation applies to the RMSP on the day on which section 14 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, before the end of the period of 3 months beginning with that day; (b) in any other case, before the end of the period of 3 months beginning with the day on which the RMSP becomes an RMSP to which this regulation applies (whether for the first time or on a subsequent occasion). (4) The RMSP must notify the Information Commission of any change to the information notified under paragraph (2) as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with— (a) where the change is to the representative nominated, the day on which the change took effect; (b) where the change is to the representative’s name or contact details, the day on which the RMSP became aware of the change. (5) The Information Commission or GCHQ may, for the purposes of carrying out their functions under these Regulations, contact the representative instead of or in addition to the RMSP. (6) A nomination under paragraph (2) is without prejudice to any legal action which could be initiated against the RMSP in question.
Reporting of incidents by regulated persons¶
15 Reporting of incidents by regulated persons¶
11. — Notification of incidents (other than in relation to data centre services)
(1) This regulation applies to an OES, except so far as it provides an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2 (data centre services). (2) If the OES is aware that an OES incident has occurred or is occurring, it must give the designated competent authority for the OES— (a) an initial notification containing— (i) the OES’s name and the essential service to which the incident relates, and (ii) brief details of the incident, and (b) a full notification containing the information listed in paragraph (5) in relation to the incident, so far as known to the OES. (3) For the purposes of this regulation, an incident is an “OES incident” if— (a) the incident has affected or is affecting the operation or security of the network and information systems relied on to provide the essential service provided by the OES, and (b) the impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to the factors listed in paragraph (4). (4) The factors referred to in paragraph (3)(b) are— (a) the extent of any disruption which has occurred, is occurring or is likely to occur in relation to the provision of the essential service provided by the OES; (b) the number of users which have been affected, are being affected or are likely to be affected; (c) the duration of the incident; (d) the geographical area which has been affected, is being affected or is likely to be affected by the incident; (e) whether the confidentiality, authenticity, integrity or availability of data relating to users of the essential service has been, is being or is likely to be compromised. (5) The information referred to in paragraph (2)(b) is— (a) the OES’s name and the essential service to which the incident relates; (b) the time the incident occurred, its duration and whether it is ongoing; (c) information concerning the nature of the incident; (d) where the incident was caused by a separate incident affecting another regulated person, details of that separate incident and of the regulated person in question; (e) information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have (as the case may be); (f) such other information as the OES considers may assist the designated competent authority in exercising its functions under regulation 11B in relation to the incident. (6) The notifications required by paragraph (2) must be given— (a) in the case of an initial notification, before the end of the period of 24 hours beginning with the time at which the OES is first aware that an OES incident has occurred or is occurring; (b) in the case of a full notification, before the end of the period of 72 hours beginning with that time. (7) A notification under paragraph (2) must be in writing, and must be provided in such form and manner as the designated competent authority determines. (8) An OES must send a copy of a notification under paragraph (2) to the CSIRT at the same time as sending the notification to the designated competent authority for the OES. (9) In this regulation and regulations 11A and 11B, “regulated person” means an OES, an RDSP, an RMSP or a critical supplier. 11A. — Notification of incidents in relation to data centre services
(1) This regulation applies to an OES so far as it provides an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2 (a “data centre service”). (2) If the OES is aware that a data centre incident has occurred or is occurring, it must give the designated competent authority for the OES— (a) an initial notification containing— (i) the OES’s name and the data centre service to which the incident relates, and (ii) brief details of the incident, and (b) a full notification containing the information listed in paragraph (4) in relation to the incident, so far as known to the OES. (3) In this regulation, “data centre incident” means an incident which could have had, has had, is having or is likely to have— (a) a significant impact on the operation or security of the network and information systems relied on to provide the data centre service provided by the OES in the United Kingdom, (b) a significant impact on the continuity of the data centre service provided by the OES in the United Kingdom, or (c) any other impact, in the United Kingdom or any part of it, which is significant. (4) The information referred to in paragraph (2)(b) is— (a) the OES’s name and the data centre service to which the incident relates; (b) the time the incident occurred, its duration and whether it is ongoing; (c) information concerning the nature of the incident; (d) where the incident was caused by a separate incident affecting another regulated person, details of that separate incident and of the regulated person in question; (e) information concerning the impact (including any cross-border impact) which the incident could have had, has had, is having or is likely to have (as the case may be); (f) such other information as the OES considers may assist the designated competent authority in exercising its functions under regulation 11B in relation to the incident. (5) The notifications required by paragraph (2) must be given— (a) in the case of an initial notification, before the end of the period of 24 hours beginning with the time at which the OES is first aware that a data centre incident has occurred or is occurring; (b) in the case of a full notification, before the end of the period of 72 hours beginning with that time. (6) A notification under paragraph (2) must be in writing, and must be provided in such form and manner as the designated competent authority determines. (7) An OES must send a copy of a notification under paragraph (2) to the CSIRT at the same time as sending the notification to the designated competent authority for the OES. 11B. — Functions of designated competent authority and CSIRT in relation to notified incidents
(1) The CSIRT may, after receiving a copy of a notification under regulation 11 in relation to an incident, notify a relevant authority in a country or territory outside the United Kingdom if the CSIRT considers that— (a) the incident has had or is likely to have an impact on the operation or security of network and information systems relied on for the provision of an essential service in that country or territory, and (b) that impact is or is likely to be significant. (2) The CSIRT may, after receiving a copy of a notification under regulation 11A in relation to an incident, notify a relevant authority in a country or territory outside the United Kingdom if the CSIRT considers that the incident has had or is likely to have a significant impact on— (a) the operation or security of network and information systems relied on for the provision of a data centre service in that country or territory, or (b) the continuity of the provision of a data centre service in that country or territory. (3) For the purposes of paragraphs (1) and (2), an authority in a country or territory outside the United Kingdom is “relevant” if the authority appears to the CSIRT to exercise functions which correspond to functions under these Regulations of— (a) a person designated as a competent authority under regulation 3(1) or (2), (b) the SPOC, or (c) the CSIRT. (4) A designated competent authority or the CSIRT may, after receiving a notification or a copy of a notification under regulation 11 or 11A in relation to an incident, provide the OES which gave the notification with such information as the authority or the CSIRT (as the case may be) considers may assist the OES to deal with that incident more effectively or prevent a future incident. (5) Paragraph (6) applies if a designated competent authority or the CSIRT, after consulting the OES which gave the notification under regulation 11 or 11A, is of the view that— (a) public awareness about the incident to which the notification relates is necessary to manage the incident or prevent a future incident, or (b) it is otherwise in the public interest for the public to be informed about the incident. (6) In such a case— (a) the designated competent authority or the CSIRT may provide the public with such information about the incident as the authority or the CSIRT (as the case may be) considers is necessary for that purpose, or (b) the designated competent authority may direct the OES which gave the notification to do so. (7) Before providing information to the public under paragraph (6)(a), the designated competent authority or the CSIRT (as the case may be) must consult— (a) each other, and (b) the OES which gave the notification in question. (8) Before giving a direction under paragraph (6)(b), the designated competent authority must consult the CSIRT and the OES which gave the notification in question. (9) A designated competent authority or the CSIRT may disclose information from a notification under regulation 11 or 11A in relation to an incident to any regulated person, where the authority or the CSIRT (as the case may be) considers that disclosure is necessary in the interests of preventing other similar incidents. (10) A disclosure of information under paragraph (1), (2) or (9) must not contain— (a) confidential information, or (b) information which may prejudice the security or commercial interests of a regulated person. (11) A disclosure of information under or by virtue of paragraph (6) must not contain information which may prejudice the security interests of a regulated person. (12) Information disclosed to a person under paragraph (9) by a designated competent authority or the CSIRT must not be further disclosed without— (a) the consent of the designated competent authority or the CSIRT (as the case may be), and (b) where the information relates to an identified or identifiable regulated person, the consent of that person. (13) A designated competent authority must provide an annual report to the SPOC, on or before 1 July in each year, identifying the number and nature of incidents notified to it under regulations 11(2)(b) and 11A(2)(b) during the preceding year.
12A. — Notification of RDSP incidents
(1) If an RDSP is aware that an RDSP incident has occurred or is occurring, it must give the Information Commission— (a) an initial notification containing— (i) the RDSP’s name and the relevant digital service to which the incident relates, and (ii) brief details of the incident, and (b) a full notification containing the information listed in paragraph (4) in relation to the incident, so far as known to the RDSP. (2) For the purposes of this regulation, an incident is an “RDSP incident” if— (a) the incident has affected or is affecting the operation or security of the network and information systems relied on to provide the relevant digital service provided by the RDSP, and (b) the impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to the factors listed in paragraph (3). (3) The factors referred to in paragraph (2)(b) are— (a) the extent of any disruption which has occurred, is occurring or is likely to occur in relation to the provision of the relevant digital service provided by the RDSP; (b) the number of users which have been affected, are being affected or are likely to be affected; (c) the duration of the incident; (d) the geographical area which has been affected, is being affected or is likely to be affected by the incident; (e) whether the confidentiality, authenticity, integrity or availability of data relating to users of the relevant digital service has been, is being or is likely to be compromised; (f) whether there has been, is or is likely to be any impact as a result of the incident on network and information systems of users of the service; (g) any impact that the incident has had, is having or is likely to have on the economy or the day-to-day functioning of society. (4) The information referred to in paragraph (1)(b) is— (a) the RDSP’s name and the relevant digital service to which the incident relates; (b) the time the incident occurred, its duration and whether it is ongoing; (c) information concerning the nature of the incident; (d) where the incident was caused by a separate incident affecting another regulated person, details of that separate incident and of the regulated person in question; (e) information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have (as the case may be); (f) such other information as the RDSP considers may assist the Information Commission in exercising its functions under regulation 12B in relation to the incident. (5) The notifications required by paragraph (1) must be given— (a) in the case of an initial notification, before the end of the period of 24 hours beginning with the time at which the RDSP is first aware that an RDSP incident has occurred or is occurring; (b) in the case of a full notification, before the end of the period of 72 hours beginning with that time. (6) A notification under paragraph (1) must be in writing, and must be provided in such form and manner as the Information Commission determines. (7) An RDSP must send a copy of a notification under paragraph (1) to the CSIRT at the same time as sending the notification to the Information Commission. (8) In this regulation and regulation 12B, “regulated person” means an OES, an RDSP, an RMSP or a critical supplier. 12B. — Functions of Information Commission and CSIRT in relation to notified incidents
(1) The CSIRT may, after receiving a copy of a notification under regulation 12A in relation to an incident, notify a relevant authority in a country or territory outside the United Kingdom if the CSIRT considers that— (a) the incident has had or is likely to have an impact on the operation or security of network and information systems relied on for the provision of a relevant digital service in that country or territory, and (b) that impact is or is likely to be significant. (2) The Information Commission or the CSIRT may, after receiving a notification or a copy of a notification under regulation 12A in relation to an incident, provide the RDSP which gave the notification with such information as the Information Commission or the CSIRT (as the case may be) considers may assist the RDSP to deal with that incident more effectively or prevent a future incident. (3) Paragraph (4) applies if the Information Commission or the CSIRT, after consulting the RDSP which gave the notification under regulation 12A, is of the view that— (a) public awareness about the incident to which the notification relates is necessary to manage the incident or prevent a future incident, or (b) it is otherwise in the public interest for the public to be informed about the incident. (4) In such a case— (a) the Information Commission or the CSIRT may provide the public with such information about the incident as the Information Commission or the CSIRT (as the case may be) considers is necessary for that purpose, or (b) the Information Commission may direct the RDSP which gave the notification to do so. (5) Before providing information to the public under paragraph (4)(a), the Information Commission or the CSIRT (as the case may be) must consult— (a) each other, and (b) the RDSP which gave the notification in question. (6) Before giving a direction under paragraph (4)(b), the Information Commission must consult the CSIRT and the RDSP which gave the notification in question. (7) The Information Commission or the CSIRT may disclose information from a notification under regulation 12A in relation to an incident to any regulated person, where the Information Commission or the CSIRT (as the case may be) considers that disclosure is necessary in the interests of preventing other similar incidents. (8) The Information Commission may provide information to the public about an incident affecting relevant digital services in a country or territory outside the United Kingdom if— (a) a relevant authority in the country or territory in question notifies the Information Commission about the incident, and (b) the Information Commission, having consulted that relevant authority, is of the view that public awareness about the incident to which the notification relates is necessary to manage the incident or prevent a future incident or is otherwise in the public interest. (9) A disclosure of information under paragraph (1) or (7) must not contain— (a) confidential information, or (b) information which may prejudice the security or commercial interests of a regulated person. (10) A disclosure of information under or by virtue of paragraph (4) or (8) must not contain information which may prejudice the security interests of a regulated person. (11) Information disclosed to a person under paragraph (7) by the Information Commission or the CSIRT must not be further disclosed without— (a) the consent of the Information Commission or the CSIRT (as the case may be), and (b) where the information relates to an identified or identifiable regulated person, the consent of that person. (12) The Information Commission must provide an annual report to the SPOC, on or before 1 July in each year, identifying the number and nature of incidents notified to it under regulation 12A(1)(b) during the preceding year. (13) For the purposes of this regulation, an authority in a country or territory outside the United Kingdom is “relevant” if the authority appears to the CSIRT or the Information Commission (as the case may be) to exercise functions which correspond to functions under these Regulations of— (a) a person designated as a competent authority under regulation 3(1) or (2), (b) the SPOC, or (c) the CSIRT.
14E. — Notification of RMSP incidents
(1) If an RMSP is aware that an RMSP incident has occurred or is occurring, it must give the Information Commission— (a) an initial notification containing— (i) the RMSP’s name and the managed service to which the incident relates, and (ii) brief details of the incident, and (b) a full notification containing the information listed in paragraph (4) in relation to the incident, so far as known to the RMSP. (2) For the purposes of this regulation, an incident is an “RMSP incident” if— (a) the incident has affected or is affecting the operation or security of the network and information systems relied on to provide the managed service provided by the RMSP, and (b) the impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to the factors listed in paragraph (3). (3) The factors referred to in paragraph (2)(b) are— (a) the extent of any disruption which has occurred, is occurring or is likely to occur in relation to the provision of the managed service provided by the RMSP; (b) the number of users which have been affected, are being affected or are likely to be affected; (c) the duration of the incident; (d) the geographical area which has been affected, is being affected or is likely to be affected by the incident; (e) whether the confidentiality, authenticity, integrity or availability of data relating to users of the managed service has been, is being or is likely to be compromised; (f) whether there has been, is or is likely to be any impact as a result of the incident on network and information systems of users of the service; (g) any impact that the incident has had, is having or is likely to have on the economy or the day-to-day functioning of society. (4) The information referred to in paragraph (1)(b) is— (a) the RMSP’s name and the managed service to which the incident relates; (b) the time the incident occurred, its duration and whether it is ongoing; (c) information concerning the nature of the incident; (d) where the incident was caused by a separate incident affecting another regulated person, details of that separate incident and of the regulated person in question; (e) information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have (as the case may be); (f) such other information as the RMSP considers may assist the Information Commission in exercising its functions under regulation 14F in relation to the incident. (5) The notifications required by paragraph (1) must be given— (a) in the case of an initial notification, before the end of the period of 24 hours beginning with the time at which the RMSP is first aware that an RMSP incident has occurred or is occurring, and (b) in the case of a full notification, before the end of the period of 72 hours beginning with that time. (6) A notification under paragraph (1) must be in writing, and must be provided in such form and manner as the Information Commission determines. (7) An RMSP must send a copy of a notification under paragraph (1) to the CSIRT at the same time as sending the notification to the Information Commission. (8) In this regulation and regulation 14F, “regulated person” means an OES, an RDSP, an RMSP or a critical supplier. 14F. — Functions of Information Commission and CSIRT in relation to notified incidents
(1) The CSIRT may, after receiving a copy of a notification under regulation 14E in relation to an incident, notify a relevant authority in a country or territory outside the United Kingdom if the CSIRT considers that— (a) the incident has had or is likely to have an impact on the operation or security of network and information systems relied on for the provision of a managed service in that country or territory, and (b) that impact is or is likely to be significant. (2) The Information Commission or the CSIRT may, after receiving a notification or a copy of a notification under regulation 14E in relation to an incident, provide the RMSP which gave the notification with such information as the Information Commission or the CSIRT (as the case may be) considers may assist the RMSP to deal with that incident more effectively or prevent a future incident. (3) Paragraph (4) applies if the Information Commission or the CSIRT, after consulting the RMSP which gave the notification under regulation 14E, is of the view that— (a) public awareness about the incident to which the notification relates is necessary to manage the incident or prevent a future incident, or (b) it is otherwise in the public interest for the public to be informed about the incident. (4) In such a case— (a) the Information Commission or the CSIRT may provide the public with such information as the Information Commission or the CSIRT (as the case may be) considers is necessary for that purpose, or (b) the Information Commission may direct the RMSP which gave the notification to do so. (5) Before providing information to the public under paragraph (4)(a), the Information Commission or the CSIRT (as the case may be) must consult— (a) each other, and (b) the RMSP which gave the notification in question. (6) Before giving a direction under paragraph (4)(b), the Information Commission must consult the CSIRT and the RMSP which gave the notification in question. (7) The Information Commission or the CSIRT may disclose information from a notification under regulation 14E in relation to an incident to any regulated person, where the Information Commission or the CSIRT (as the case may be) considers that disclosure is necessary in the interests of preventing other similar incidents. (8) The Information Commission may provide information to the public about an incident affecting managed services in a country or territory outside the United Kingdom if— (a) a relevant authority in the country or territory in question notifies the Information Commission about the incident, and (b) the Information Commission, having consulted that relevant authority, is of the view that public awareness about the incident to which the notification relates is necessary to manage the incident or prevent a future incident or is otherwise in the public interest. (9) A disclosure of information under paragraph (1) or (7) must not contain— (a) confidential information, or (b) information which may prejudice the security or commercial interests of a regulated person. (10) A disclosure of information under or by virtue of paragraph (4) or (8) must not contain information which may prejudice the security interests of a regulated person. (11) Information disclosed to a person under paragraph (7) by the Information Commission or the CSIRT must not be further disclosed without— (a) the consent of the Information Commission or the CSIRT (as the case may be), and (b) where the information relates to an identified or identifiable regulated person, the consent of that person. (12) The Information Commission must provide an annual report to the SPOC, on or before 1 July in each year, identifying the number and nature of incidents notified to it under regulation 14E(1)(b) during the preceding year. (13) For the purposes of this regulation, an authority in a country or territory outside the United Kingdom is “relevant” if the authority appears to the CSIRT or the Information Commission (as the case may be) to exercise functions which correspond to functions under these Regulations of— (a) a person designated as a competent authority under regulation 3(1) or (2), (b) the SPOC, or (c) the CSIRT.
16 Notification of incidents to customers¶
11C. — Incidents: notification of customers
(1) This regulation applies to an OES so far as it provides an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2 (a “data centre service”). (2) After the OES has given a full notification under regulation 11A(2)(b), the OES must, as soon as reasonably practicable— (a) take reasonable steps to establish which of its customers in the United Kingdom are likely to be adversely affected by the incident to which the notification relates, and (b) after those steps have been taken, notify those customers of the incident. (3) When considering whether a customer is likely to be adversely affected by the incident, the OES must take into account— (a) the extent of any actual or likely disruption to the provision of the data centre service provided by the OES to the customer, (b) whether the confidentiality, authenticity, integrity or availability of any data relating to the customer is likely to be compromised, and (c) any other impact on network and information systems of the customer. (4) A notification under paragraph (2)(b) must— (a) provide details of the nature of the incident, and (b) explain why the OES considers that the customer is likely to be adversely affected by the incident.
12C. — Incidents: notification of customers
(1) After an RDSP has given a full notification under regulation 12A(1)(b), the RDSP must, as soon as reasonably practicable— (a) take reasonable steps to establish which of its customers in the United Kingdom are likely to be adversely affected by the incident to which the notification relates, and (b) after those steps have been taken, notify those customers of the incident. (2) When considering whether a customer is likely to be adversely affected by the incident, the RDSP must take into account— (a) the extent of any actual or likely disruption to the provision of the relevant digital service provided by the RDSP to the customer, (b) whether the confidentiality, authenticity, integrity or availability of any data relating to the customer is likely to be compromised, and (c) any other impact on network and information systems of the customer. (3) A notification under paragraph (1)(b) must— (a) provide details of the nature of the incident, and (b) explain why the RDSP considers that the customer is likely to be adversely affected by the incident.
14G. — Incidents: notification of customers
(1) After an RMSP has given a full notification under regulation 14E(1)(b), the RMSP must, as soon as reasonably practicable— (a) take reasonable steps to establish which of its customers in the United Kingdom are likely to be adversely affected by the incident to which the notification relates, and (b) after those steps have been taken, notify those customers of the incident. (2) When considering whether a customer is likely to be adversely affected by the incident, the RMSP must take into account— (a) the extent of any actual or likely disruption to the provision of the managed service provided by the RMSP to the customer, (b) whether the confidentiality, authenticity, integrity or availability of any data relating to the customer is likely to be compromised, and (c) any other impact on network and information systems of the customer. (3) A notification under paragraph (1)(b) must— (a) provide details of the nature of the incident, and (b) explain why the RMSP considers that the customer is likely to be adversely affected by the incident.
Chapter 3 — Other amendments¶
Cost recovery¶
17 Powers to impose charges¶
After regulation 20 of the NIS Regulations insert—Part 5A — Powers to impose charges
20A. — Periodic charges under charging schemes
(1) A NIS enforcement authority may impose a charge on a person in respect of the authority’s relevant costs if— (a) a scheme made by the authority for the purposes of this regulation (a “charging scheme”) has effect, (b) the charge relates to a period specified in the charging scheme (a “chargeable period”), (c) the person is or was regulated by the authority during the whole or part of the chargeable period, and (d) the charge is imposed in accordance with the charging scheme. (2) For the purposes of paragraph (1)— (a) a NIS enforcement authority’s “relevant costs” are its costs or expected costs in connection with the exercise of any of its functions under or by virtue of these Regulations or Part 3 or 4 of the Cyber Security and Resilience (Network and Information Systems) Act 2026; (b) the costs in respect of which a NIS enforcement authority may impose a periodic charge include costs incurred by the authority before the relevant day in preparation for the imposition of charges in accordance with this regulation, and in sub-paragraph (b) “the relevant day” is the day on which section 17 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force.(3) A charging scheme made by a NIS enforcement authority must specify— (a) the functions of the authority in respect of which a charge is payable in accordance with the scheme, (b) the chargeable periods under the scheme, (c) either— (i) the amount of a charge, or (ii) how the amount of a charge is to be determined by the authority (including factors to be taken into account in making the determination), (d) when and how a charge is to be paid, and (e) the date (not before the end of the 14-day period beginning with the day on which the scheme is published) from which the scheme has effect. (4) A charging scheme made by a NIS enforcement authority— (a) may provide for charges to be imposed in respect of anything done by the authority in connection with the enforcement of requirements imposed under or by virtue of these Regulations or Part 3 or 4 of the Cyber Security and Resilience (Network and Information Systems) Act 2026; (b) may make different provision for different purposes (including different provision in relation to persons of different descriptions or different circumstances); (c) may provide that a charge is not payable by persons of a description specified in the scheme or if conditions specified in the scheme are met. (5) A charge payable by a person in accordance with a charging scheme need not relate to the exercise of functions in relation to the person. (6) A NIS enforcement authority may revise or revoke its charging scheme. (7) A NIS enforcement authority must publish its charging scheme (including any revised scheme). (8) Before making or revising a charging scheme, a NIS enforcement authority must consult such of the persons regulated by the authority as it considers appropriate. (9) No consultation is required under paragraph (8) in relation to revisions of a charging scheme that are only minor. (10) For the purposes of this regulation, a person (“P”) is regulated by a NIS enforcement authority if— (a) where the NIS enforcement authority is a person designated by regulation 3(1), P is— (i) an OES within a subsector specified in column 2 of the table in Schedule 1 for which the authority is specified in column 3 of that table, or (ii) a person in respect of which a designation by the authority under regulation 14H(1) has effect; (b) where the NIS enforcement authority is the Information Commission, P is— (i) an RDSP or an RMSP, or (ii) a person in respect of which a designation by the Information Commission under regulation 14H(1) has effect. 20B. — Further provision about periodic charges under regulation 20A
(1) Where the amount of a charge payable by a person (“P”) to a NIS enforcement authority under regulation 20A is determined by reference to P’s turnover in respect of a period specified in the authority’s charging scheme, the amount of that turnover is, in the event of a disagreement between P and the authority, the amount determined by the authority. (2) A charge payable to a NIS enforcement authority in accordance with the authority’s charging scheme is recoverable as a civil debt due to the authority. (3) A NIS enforcement authority must, in relation to each chargeable period in respect of which a charge is payable to the authority under regulation 20A, produce a statement setting out the required information. (4) The required information is— (a) the aggregate amount of the charges payable to the authority in relation to the chargeable period which has been received by the NIS enforcement authority, (b) the aggregate amount of the charges payable to the authority in relation to the chargeable period which remains outstanding and is likely to be paid or recovered, and (c) the cost to the authority of the exercise of functions in respect of which charges are payable to the authority in relation to the chargeable period. (5) A NIS enforcement authority must publish a statement produced by it under paragraph (3) in relation to a chargeable period— (a) if the charges to which the statement relates are payable to the authority before the end of that period, as soon as reasonably practicable after the end of the period; (b) if the charges to which the statement relates are payable to the authority after the end of that period, as soon as reasonably practicable after the time by which all charges payable to the authority in accordance with its charging scheme are required to be paid. (6) In this regulation— chargeable period, in relation to a charging scheme, means a period specified in the scheme by virtue of regulation 20A(3)(b); charging scheme, in relation to a NIS enforcement authority, has the meaning given by regulation 20A(1)(a). 20C. — Charges (other than under periodic charges under regulation 20A)
(1) A NIS enforcement authority may require a person which is or has been regulated by the authority to pay it a charge in respect of costs incurred by or on behalf of the authority in exercising a function under these Regulations in relation to the person. (2) Where a person is required by a NIS enforcement authority to pay a charge under paragraph (1), the authority must give the person an invoice stating the costs to which the charge relates. (3) A NIS enforcement authority may not impose a charge under paragraph (1) in connection with— (a) costs relating to an appeal under regulation 19A against a decision of the authority, (b) costs relating to the bringing of proceedings by the authority under regulation A20, or (c) the exercise of any function in respect of which a charge is payable to the authority in accordance with a scheme made by the authority for the purposes of regulation 20A. (4) A charge payable under paragraph (1) is recoverable as a civil debt due to the NIS enforcement authority. (5) The reference in paragraph (1) to a person regulated by a NIS enforcement authority is to be construed in accordance with regulation 20A(10).
Information sharing¶
18 Sharing and use of information under the NIS Regulations etc¶
(5A) A copy of the lists kept by it as required by paragraph (3)(c) and (d) must be sent by a competent authority under paragraph (3)(e)— (a) before the end of the period of 4 months beginning with the day on which section 18(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026 comes into force, and (b) subsequently, at annual intervals.
(2ZA) For the purposes of paragraph (2), an authority in a country or territory outside the United Kingdom is “relevant” if the authority appears to the SPOC to exercise functions which correspond to functions under these Regulations of— (a) a person designated as a competent authority under regulation 3(1) or (2), (b) the SPOC, or (c) the CSIRT.
6. — Sharing of information
(1) A NIS enforcement authority may disclose to another NIS enforcement authority or to a person within paragraph (2) information obtained in the exercise of its functions— (a) for the purposes of these Regulations or of facilitating the exercise by a NIS enforcement authority of any of its functions under or by virtue of these Regulations or any other enactment (including an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament), (b) otherwise in connection with— (i) the security or resilience of network and information systems, or (ii) any other matter relating to cyber security or resilience, (c) for national security purposes, (d) in connection with the prevention or detection of crime (whether or not in the United Kingdom), (e) in connection with the investigation of a criminal offence (whether or not in the United Kingdom), or (f) for the purposes of criminal proceedings (whether or not in the United Kingdom). (2) The following persons are within this paragraph— (a) the Secretary of State; (b) a relevant law-enforcement authority; (c) the CSIRT; (d) a UK public authority which does not fall within any of sub-paragraphs (a) to (c). (3) A person within paragraph (2) may disclose to a NIS enforcement authority information obtained in the exercise of the person’s functions for any of the purposes mentioned in paragraph (1).
For this purpose, the reference in paragraph (2)(b) to a relevant law-enforcement authority is to be read as a reference to a relevant law-enforcement authority which exercises functions in the United Kingdom.
(4) A NIS enforcement authority may disclose to the Secretary of State information obtained in the exercise of its functions if the authority considers that the information— (a) may be relevant for the purposes of a report under section 40 of the Cyber Security and Resilience (Network and Information Systems) Act 2026 (reports on network and information systems legislation), (b) may assist the Secretary of State in assessing the provision and availability of data centre services in the United Kingdom, or (c) may assist the Secretary of State in formulating policy relating to— (i) the provision and availability of data centre services in the United Kingdom, or (ii) national security. (5) The Secretary of State may disclose to a NIS enforcement authority information obtained by the Secretary of State in the exercise of functions under these Regulations if the Secretary of State considers that doing so may assist the Secretary of State— (a) in preparing a report under section 40 of the Cyber Security and Resilience (Network and Information Systems) Act 2026, (b) in assessing the provision and availability of data centre services in the United Kingdom, or (c) in formulating policy relating to anything mentioned in paragraph (4)(c). (6) A NIS enforcement authority may disclose information obtained by the authority in the exercise of its functions to a relevant overseas authority if the disclosure is for a purpose mentioned in paragraph (1). (7) In paragraph (6), a “relevant overseas authority”, in relation to a disclosure by a NIS enforcement authority, means a person in any country or territory outside the United Kingdom which appears to the NIS enforcement authority to exercise functions of a public nature which— (a) correspond to functions under these Regulations of— (i) a person designated as a competent authority under regulation 3(1) or (2), (ii) the SPOC, or (iii) the CSIRT, or (b) relate to any of the matters mentioned in paragraph (1)(b) to (f). (8) In this regulation— data centre service means an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2; UK public authority means a person exercising functions of a public nature in the United Kingdom. 6A. — Onward disclosure and further provision about information sharing
(1) Information disclosed to a person under regulation 6 (“relevant information”) must not be further disclosed except in accordance with paragraph (2) or (4). (2) Relevant information may be disclosed— (a) to the Secretary of State if— (i) the disclosure is for a purpose mentioned in regulation 6(1), or (ii) the person making the disclosure considers that any of sub-paragraphs (a) to (c) of regulation 6(4) applies in relation to the information; (b) to any of the persons mentioned in paragraph (3), if the disclosure is for a purpose mentioned in regulation 6(1). (3) The persons referred to in paragraph (2)(b) are— (a) a relevant law-enforcement authority; (b) the CSIRT; (c) a UK public authority (within the meaning of regulation 6) which does not fall within sub-paragraph (a) or (b). (4) Relevant information may be disclosed to any person with— (a) the consent of the person from which the information was obtained, and (b) where the information relates to an identified or identifiable individual or business, the consent of that individual or business. (5) A disclosure of information under any provision of regulation 6 or this regulation must be limited to information which is relevant and proportionate to the purpose for which the disclosure is being made. (6) The disclosure of information under any provision of regulation 6 or this regulation does not breach— (a) any obligation of confidence owed by the person making the disclosure, or (b) any other restriction on the disclosure of information (however imposed). (7) Nothing in regulation 6 or this regulation authorises a disclosure of information which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016. (8) Regulation 6 and this regulation do not limit the circumstances in which information may be disclosed apart from those regulations. 6B. — Use of information by the Information Commission
The Information Commission may use information obtained by it under or by virtue of these Regulations for the purpose of facilitating the exercise of any of its functions under or by virtue of any other enactment, if it considers that the use of the information for that purpose is necessary and proportionate.
(1A) A disclosure of information under paragraph (1) must be limited to information which is relevant and proportionate to the purpose for which the disclosure is being made. (1B) The disclosure of information under paragraph (1) does not breach— (a) any obligation of confidence owed by the person making the disclosure, or (b) any other restriction on the disclosure of information (however imposed). (1C) This regulation does not authorise a disclosure of information which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Guidance¶
19 Guidance¶
;(3ZA) Guidance under paragraph (3)(b) must, in particular, include guidance on— (a) the taking of appropriate and proportionate measures under regulation 10(1) and (2); (b) the requirements imposed on OESs by regulation 11; (c) the requirements imposed by regulations 8ZA, 11A and 11C on OESs which provide an essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2. (3ZB) When preparing guidance under paragraph (3)(b), a designated competent authority must have regard to any relevant code which is in force, so far as the code appears to the authority to be relevant to persons regulated by it, with a view to ensuring that the guidance is consistent with the code. (3ZC) When preparing guidance under paragraph (3)(b) that relates to critical suppliers, or to the designation of persons under regulation 14H, a designated competent authority must— (a) coordinate with other designated competent authorities and the Information Commission with a view to ensuring that, where appropriate, the guidance is consistent with guidance issued or to be issued by those other designated competent authorities and the Information Commission, and (b) consult each of the other designated competent authorities and the Information Commission before publishing the guidance.
(4A) Guidance under paragraph (4)(b) must, in particular, include guidance on— (a) the taking of appropriate and proportionate measures by RDSPs under regulation 12(1); (b) the requirements imposed on RDSPs by regulations 12A, 12C and 14; (c) the taking of appropriate and proportionate measures by RMSPs under regulation 14B(1); (d) the requirements imposed on RMSPs by regulations 14C, 14E and 14G. (4B) When preparing guidance under paragraph (4)(b), the Information Commission must have regard to any relevant code which is in force, so far as the code appears to the Information Commission to be relevant to persons regulated by it, with a view to ensuring that the guidance is consistent with the code. (4C) When preparing guidance under paragraph (4)(b) that relates to critical suppliers, or to the designation of persons under regulation 14H, the Information Commission must— (a) coordinate with the designated competent authorities with a view to ensuring that, where appropriate, the guidance is consistent with guidance issued or to be issued by those designated competent authorities, and (b) consult each of the designated competent authorities before publishing the guidance.
(7) In this regulation, “relevant code” means a code of practice issued under section 36 of the Cyber Security and Resilience (Network and Information Systems) Act 2026.
3A. — Guidance
A designated competent authority and the Information Commission must have regard to any relevant guidance published by the Secretary of State when carrying out their functions under these Regulations.
Investigatory powers, enforcement and penalties¶
20 Powers to require information¶
15. — Information gathering
(1) A designated competent authority may require a person to which paragraph (3) applies to give the authority such information or documents as it reasonably requires for the purpose of exercising or deciding whether to exercise any of its functions under these Regulations. (2) The Information Commission may require a person to which paragraph (3) applies to give the Information Commission such information or documents as it reasonably requires for the purpose of exercising or deciding whether to exercise any of its functions under these Regulations. (3) This paragraph applies to— (a) in a case within paragraph (1)— (i) a person regulated by the designated competent authority, and (ii) any other person (other than the SPOC or the CSIRT) which appears to the designated competent authority to be likely to have the information or documents sought; (b) in a case within paragraph (2)— (i) a person regulated by the Information Commission, and (ii) any other person (other than the SPOC or the CSIRT) which appears to the Information Commission to be likely to have the information or documents sought. (4) The information or documents which may be required by a designated competent authority under paragraph (1) include, in particular, information or documents for any of the following purposes— (a) establishing whether a person falls within regulation 8(1) or meets the conditions for designation by the authority under regulation 8(3); (b) establishing whether a person meets the requirements for designation under regulation 14H by the authority; (c) deciding whether to designate a person under regulation 8(3) or 14H; (d) deciding whether to revoke a person’s designation under regulation 9 or 14K; (e) assessing the security or resilience of network and information systems relied on by a person regulated by the designated competent authority; (f) establishing whether any incident has occurred that the designated competent authority believes could have had, has had, is having or is likely to have, an adverse effect on the security or resilience of network and information systems relied on by a person regulated by the authority, and the nature and impact of any such incident; (g) assessing the implementation of measures taken under regulation 10 to manage risks and to prevent and minimise the impact of incidents, including as a result of any inspection conducted under regulation 16; (h) identifying a failure of a person to comply with any duty imposed by these Regulations; (i) determining the amount of a penalty payable by a person to the authority under regulation 18; (j) determining the amount of a charge payable by a person under a scheme made by the authority under regulation 20A(1). (5) The information or documents which may be required by the Information Commission under paragraph (2) include, in particular, information or documents for any of the following purposes— (a) establishing whether a person is an RDSP or an RMSP; (b) establishing whether a person meets the requirements for designation under regulation 14H by the Information Commission; (c) deciding whether to designate a person under regulation 14H; (d) deciding whether to revoke a person’s designation under regulation 14K; (e) assessing the security or resilience of network and information systems relied on by a person regulated by the Information Commission; (f) establishing whether any incident has occurred that the Information Commission believes could have had, has had, is having or is likely to have, an adverse effect on the security or resilience of network and information systems relied on by a person regulated by the Commission, and the nature and impact of any such incident; (g) assessing the implementation of measures taken under regulation 12 or 14B to manage risks and to prevent and minimise the impact of incidents, including as a result of any inspection conducted under regulation 16; (h) identifying a failure of a person to comply with any duty imposed by these Regulations; (i) determining the amount of a penalty payable by a person to the Information Commission under regulation 18; (j) determining the amount of a charge payable by a person under a scheme made by the Information Commission under regulation 20A(1). (6) The power conferred by paragraph (1) or (2) is to be exercised by giving the person in question a notice in writing (an “information notice”) which must— (a) specify or describe the information or documents sought, (b) explain why the information or documents are being sought, (c) specify the manner and form in which the information or documents must be given, (d) specify the time by which, or period within which, the information or documents must be given, and (e) include information about the possible consequences of not complying with the notice. (7) An information notice given to a person to which paragraph (3)(a)(ii) or (b)(ii) applies— (a) may take the form of a general request for a category of persons specified in the notice to provide the information or documents specified or described in the notice; (b) may be given by being published in such manner as the person giving the notice considers appropriate for the purpose of bringing the notice to the attention of persons described in it as persons from which the information or documents are required. (8) A person to which an information notice is given under this regulation must comply with the requirements imposed by the notice. (9) For the purposes of this regulation— (a) a person is regulated by a designated competent authority if the person is— (i) an OES within a subsector specified in column 2 of the table in Schedule 1 for which the authority is specified in column 3 of that table, or (ii) a person designated by the authority under regulation 14H (critical suppliers); (b) a person is regulated by the Information Commission if the person is— (i) an RDSP or an RMSP, or (ii) a person designated by the Information Commission under regulation 14H (critical suppliers). 15A. — Information gathering: further provision
(1) The power conferred by regulation 15(1) or (2) to require a person (“P”) to give information includes power to require P— (a) to obtain or generate information or documents; (b) to collect or retain information or documents that P would not otherwise collect or retain for the purpose of giving it under the provision in question. (2) An information notice under regulation 15 may be given to a person whether or not the person is established in the United Kingdom. (3) The powers conferred by regulation 15 are exercisable in relation to information or documents whether stored within or outside the United Kingdom. (4) A person may not be required under regulation 15 to give a privileged communication to a designated competent authority or the Information Commission. (5) A “privileged communication” is a communication— (a) between a professional legal adviser and their client, or (b) made in connection with, or in contemplation of, legal proceedings and for the purposes of those proceedings, which in proceedings in the High Court would be protected from disclosure on grounds of legal professional privilege.(6) In the application of paragraph (5) to Scotland— (a) the reference to the High Court is to be read as a reference to the Court of Session; (b) the reference to legal professional privilege is to be read as a reference to the confidentiality of communications. (7) An information notice given under regulation 15 by a designated competent authority or the Information Commission may be revoked by that authority or the Information Commission (as the case may be)— (a) where the notice was given as mentioned in regulation 15(7)(b), by publication of a notice in the same manner as that in which the information notice was published; (b) otherwise, by the giving of a notice to the recipient of the information notice.
21 Financial penalties¶
(2A) The Information Commission may serve a notice of intention to impose a penalty on an RMSP if the Information Commission— (a) has reasonable grounds to believe that the RMSP has failed to comply with a duty referred to in regulation 17(2ZA) or the duty set out in regulation 17(3A), and (b) considers that a penalty is warranted having regard to the facts and circumstances of the case. (2B) A designated competent authority or the Information Commission may serve a notice of intention to impose a penalty on a person if the authority or Information Commission (as the case may be)— (a) has reasonable grounds to believe that the person has failed to comply with— (i) an information notice given to the person under regulation 15 by the authority or Information Commission (as the case may be), or (ii) the duty set out in regulation 17(3A), and (b) considers that a penalty is warranted having regard to the facts and circumstances of the case.
(3A) Paragraph (3B) applies where a designated competent authority or the Information Commission has served a notice of intention to impose a penalty on a person. (3B) The designated competent authority or the Information Commission (as the case may be) may, after considering any representations submitted in accordance with paragraph (3)(f), serve a penalty notice on the person with a final penalty decision if the authority or Information Commission is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.
(5) A penalty imposed under this regulation— (a) must be of an amount which the designated competent authority or the Information Commission (as the case may be) determines is appropriate and proportionate in the circumstances, including having regard to the matters mentioned in paragraph (6); (b) must not exceed the maximum amount applicable to the failure in respect of which the penalty is imposed. (6) The matters referred to in paragraph (5)(a) are— (a) the impact of the failure in respect of which the penalty is imposed, (b) any steps taken by the person on which the penalty is imposed to remedy the failure or mitigate its impact, and (c) the person’s previous compliance or non-compliance with requirements imposed under or by virtue of these Regulations or regulations under section 29(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026. (7) The maximum amount of a penalty that may be imposed on a person is— (a) in the case of a failure to which paragraph (10) applies, the standard maximum amount; (b) in the case of a failure to which paragraph (11) applies, the higher maximum amount. (8) The “standard maximum amount” is— (a) where the person is an undertaking, the greater of— (i) £10,000,000, and (ii) 2% of the turnover of the undertaking (both inside and outside the United Kingdom); (b) in any other case, £10,000,000. (9) The “higher maximum amount” is— (a) where the person is an undertaking, the greater of— (i) £17,000,000, and (ii) 4% of the turnover of the undertaking (both inside and outside the United Kingdom); (b) in any other case, £17,000,000. (10) This paragraph applies to a failure to comply with a duty referred to in any of the following provisions— (a) in regulation 17(1) (OES failures)— (i) sub-paragraph (za) (failure to notify under regulation 8(2)); (ii) sub-paragraph (zaa) (failure to comply with requirements in regulation 8ZA); (iii) sub-paragraph (zb) (failure to comply with requirements in regulation 8A); (iv) sub-paragraph (ca) (failure to comply with regulation 11(8)); (v) sub-paragraph (cd) (failure to comply with regulation 11A(7)); (vi) sub-paragraph (cf) (failure to comply with regulation 11B(12), 12B(11) or 14F(11) in relation to the making of a further disclosure); (b) in regulation 17(2) (RDSP failures)— (i) sub-paragraph (ca) (failure to comply with regulation 12A(7)); (ii) sub-paragraph (dza) (failure to comply with regulation 11B(12), 12B(11) or 14F(11) in relation to the making of a further disclosure); (iii) sub-paragraph (dzc) (failure to comply with regulation 14(2) or (3)); (iv) sub-paragraph (da) (failure to comply with requirements in regulation 14A); (c) in regulation 17(2ZA) (RMSP failures)— (i) sub-paragraph (b) (failure to comply with regulation 14C(2) or (5)); (ii) sub-paragraph (c) (failure to comply with regulation 14D); (iii) sub-paragraph (f) (failure to comply with regulation 14E(7)); (iv) sub-paragraph (h) (failure to comply with regulation 11B(12), 12B(11) or 14F(11) in relation to the making of a further disclosure). (11) This paragraph applies to a failure to comply with a duty referred to in any of the following provisions— (a) in regulation 17(1) (OES failures)— (i) sub-paragraph (a) (failure to fulfil the security duties under regulation 10(1) and (2)); (ii) sub-paragraph (b) (failure to notify an incident under regulation 11(2)); (iii) sub-paragraph (c) (failure to comply with regulation 11(6) and (7) in relation to the notification requirements in regulation 11(2)); (iv) sub-paragraph (cb) (failure to give notification in relation to an incident as required by regulation 11A(2)); (v) sub-paragraph (cc) (failure to comply with regulation 11A(5) and (6) in relation to a notification under 11A(2)); (vi) sub-paragraph (ce) (failure to comply with direction under regulation 11B(6)(b)); (vii) sub-paragraph (cg) (failure to comply with regulation 11C(2)(b) and (4)); (viii) sub-paragraph (f) (failure to comply with direction under regulation 16(1)(c) or requirements under regulation 16(3)); (b) in regulation 17(2) (RDSP failures)— (i) sub-paragraph (a) (failure to fulfil duties under regulation 12(1)); (ii) sub-paragraph (b) (failure to notify an incident under regulation 12A(1)); (iii) sub-paragraph (c) (failure to comply with regulation 12A(5) and (6) in relation to notification requirement under regulation 12A(1)); (iv) sub-paragraph (d) (failure to comply with a direction made by the Information Commission under regulation 12B(4)(b)); (v) sub-paragraph (dzb) (failure to comply with regulation 12C(1)(b) and (3)); (vi) sub-paragraph (f) (failure to comply with a direction given under regulation 16(2)(c), or the requirements at regulation 16(3)); (c) in regulation 17(2ZA) (RMSP failures)— (i) sub-paragraph (a) (failure to comply with regulation 14B(1)); (ii) sub-paragraph (d) (failure to give a notification as required by regulation 14E(1)); (iii) sub-paragraph (e) (failure to comply with the requirements in regulation 14E(5) and (6) in relation to a notification under regulation 14E(1)); (iv) sub-paragraph (g) (failure to comply with a direction under regulation 14F(4)(b)); (v) sub-paragraph (i) (failure to comply with regulation 14G(1)(b) and (3)); (vi) sub-paragraph (j) (failure to comply with a direction under regulation 16(2)(c)); (vii) sub-paragraph (k) (failure to comply with regulation 16(3)); (d) regulation 17(2ZB) (failure to comply with information notice).
22 Enforcement and appeals¶
Schedule 1 contains further amendments to the NIS Regulations in connection with enforcement and appeals.Other¶
23 Minor and consequential amendments etc¶
Schedule 2 contains minor and consequential amendments to the NIS Regulations and other enactments.Part 3 — Security and resilience of systems: functions of the Secretary of State¶
Chapter 1 — Introductory¶
24 Key definitions in Part 3¶
Chapter 2 — Statement of strategic priorities etc¶
25 Statement of strategic priorities etc¶
26 Consultation and procedure in relation to statement¶
27 Duties of regulatory authorities in relation to statement¶
28 Report by Secretary of State¶
Chapter 3 — Regulations about security and resilience of systems¶
29 Regulations relating to security and resilience of network and information systems¶
30 Imposition of requirements on regulated persons¶
31 Functions of regulatory authorities: enforcement, sanctions and appeals¶
32 Provision about financial penalties¶
33 Regulatory authorities and other persons: information, guidance and other functions¶
34 Recovery of costs of regulatory authorities¶
35 Supplementary provision and interpretation¶
Chapter 4 — Code of practice¶
36 Code of practice¶
37 Procedure for issue of code of practice¶
38 Effects of code of practice¶
39 Withdrawal of code of practice¶
Chapter 5 — Report on network and information systems legislation¶
40 Report on network and information systems legislation¶
Chapter 6 — Regulations under Part 3¶
41 Regulations under section 24 or Chapter 3¶
42 Consultation and procedure¶
Part 4 — Directions for national security purposes¶
Directions to regulated persons¶
43 Directions to regulated persons¶
44 Compliance with directions under section 43 to take priority¶
Monitoring of compliance with directions¶
45 Monitoring by regulatory authorities¶
Information gathering and inspections¶
46 Information gathering¶
47 Inspections¶
Enforcement of requirements¶
48 Notification of contravention¶
49 Penalty amounts¶
50 Enforcement of notification¶
51 Enforcement of penalty¶
52 Enforcement of non-disclosure requirements¶
;(2) In this section and sections 49 to 51 “enforcement authority”, in relation to a non-disclosure requirement, means the person which imposed the requirement.
;(d) specifies the steps that the enforcement authority thinks should be taken by that person in order to— (i) bring the contravention to an end, and (ii) limit the consequences of the contravention, and
;(2) The amount of a penalty may not exceed £10,000,000. (3) In the case of a penalty specified under section 48(6), the amount may not exceed (subject to subsection (2)) £50,000 per day.
;(5) A confirmation decision may— (a) require immediate action by the person— (i) to bring the contravention to an end, and (ii) to limit the consequences of the contravention, or (b) specify a period within which the person must bring that contravention to an end and limit those consequences, and may specify the steps to be taken by the person in order to bring that contravention to an end or limit those consequences.
.(ii) any steps taken by the person to bring the contravention to an end or to limit the consequences of the contravention,
Directions to regulatory authorities¶
53 Power to direct regulatory authorities¶
General provision¶
54 Review, variation and revocation of directions¶
55 Laying before Parliament¶
56 Information sharing¶
57 Means of giving directions, notices etc¶
58 Interpretation of Part 4¶
In this Part—Part 5 — General¶
59 Extent¶
This Act extends to England and Wales, Scotland and Northern Ireland.60 Commencement¶
61 Short title¶
Schedules¶
Schedule 11 — Enforcement and appeals¶
(4A) An inspector must, before conducting all or any part of an inspection under paragraph (1) or (2), give the OES, RDSP or RMSP (as the case may be) a notice setting out information about the possible consequences of failure to comply with the duties imposed by paragraph (3).
(8A) A person may not be required under this regulation to produce, or provide an inspector with access to, a privileged communication. (8B) The powers conferred by this regulation— (a) are not exercisable in relation to premises, material, equipment or individuals outside the United Kingdom; (b) are exercisable in relation to documents or information whether stored within or outside the United Kingdom.
(d) “privileged communication” has the meaning given by regulation 15A(5).
;(zaa) comply with a requirement imposed by regulation 8ZA;
;(b) give a notification in relation to an incident as required by regulation 11(2);
;(c) comply with regulation 11(6) and (7) in relation to a notification under regulation 11(2); (ca) comply with regulation 11(8); (cb) give a notification in relation to an incident as required by regulation 11A(2); (cc) comply with regulation 11A(5) and (6) in relation to a notification under regulation 11A(2); (cd) comply with regulation 11A(7); (ce) comply with a direction given to it under regulation 11B(6)(b); (cf) comply with regulation 11B(12), 12B(11) or 14F(11) in relation to the making of a further disclosure as mentioned in the provision in question; (cg) comply with regulation 11C(2)(b) and (4); or
;(b) give a notification in relation to an incident as required by regulation 12A(1);
;(c) comply with regulation 12A(5) and (6) in relation to a notification under regulation 12A(1); (ca) comply with regulation 12A(7);
;(dza) comply with regulation 11B(12), 12B(11) or 14F(11) in relation to the making of a further disclosure as mentioned in the provision in question; (dzb) comply with regulation 12C(1)(b) and (3); (dzc) comply with regulation 14(2) or (3);
(2ZA) Subject to paragraph (2A), the Information Commission may serve an enforcement notice upon an RMSP if the Information Commission has reasonable grounds to believe that the RMSP has failed to comply with any of the following— (a) the duty imposed on it by regulation 14B(1); (b) the requirements imposed by regulation 14C(2) or (5); (c) the requirements imposed by regulation 14D; (d) the duty to give a notification in relation to an incident as required by regulation 14E(1); (e) the requirements in regulation 14E(5) and (6) in relation to a notification under regulation 14E(1); (f) the duty in regulation 14E(7); (g) a direction given to it under regulation 14F(4)(b); (h) regulation 11B(12), 12B(11) or 14F(11) in relation to the making of a further disclosure as mentioned in the provision in question; (i) the duty in regulation 14G(1)(b) and (3); (j) a direction given to it under regulation 16(2)(c); (k) the requirements set out in regulation 16(3). (2ZB) Subject to paragraph (2A), a designated competent authority or the Information Commission may serve an enforcement notice on a person if the authority or the Information Commission (as the case may be) has reasonable grounds to believe that the person has failed to comply with an information notice given by it to the person under regulation 15.
(3ZA) The steps which may be specified under paragraph (3)(c) include steps outside the United Kingdom.
(3A) A person on which an enforcement notice has been served under this regulation must comply with the requirements, if any, of the notice regardless of whether the person has paid any penalty imposed on them under regulation 18.
(2A) An RMSP may appeal to the First-tier Tribunal against one or both of the following decisions of the Information Commission on one or more of the grounds specified in paragraph (3)— (a) a decision under regulation 17(2ZA) or (2ZB) to serve an enforcement notice on that RMSP; (b) a decision under regulation 18(3B) to serve a penalty notice on that RMSP. (2B) A person may appeal to the First-tier Tribunal against any of the following decisions of a designated competent authority or of the Information Commission, on one or more of the grounds specified in paragraph (3)— (a) a decision under regulation 14H to designate that person; (b) a decision under regulation 14K to revoke that person’s designation under regulation 14H; (c) a decision under regulation 17(2ZB) to serve an enforcement notice on that person; (d) a decision under regulation 18(3B) to serve a penalty notice on that person.
.(ba) a decision to designate a person under regulation 14H; (bb) a decision under regulation 14K to revoke a person’s designation under regulation 14H;
.(c) a decision under regulation 17 to serve an enforcement notice; or
(1) This regulation applies where a designated competent authority or the Information Commission has reasonable grounds to believe that a person served with an enforcement notice under regulation 17 by them has failed to comply with the requirements of that notice as required by paragraph (3A) of that regulation.
Schedule 22 — Minor and consequential amendments etc¶
The NIS Regulations¶
;CSIRT means the person designated by regulation 5 (computer security incident response team);
;SPOC means the person designated by regulation 4 (single point of contact).
.(c) consider whether and how to exercise its functions in response to any incident in relation to which it has been provided with a copy of a notification by virtue of regulation 11(8), 11A(7), 12A(7) or 14E(7);
;(a) where the change is to the person nominated, the day on which the change took effect; (b) where the change is to the nominated person’s name, address or contact details, the day on which the OES became aware of the change.
(c) sending it by post to the person’s proper address or by email to the person’s email address.
(5) For the purposes of this regulation, a person’s “proper address” is— (a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office; (b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office; (c) in any other case, an address in the United Kingdom at which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of the person on whom it is to be served or to whom it is to be given. (5A) For the purposes of this regulation, a person’s email address is— (a) an email address provided to a NIS enforcement authority as an address for contacting that person, (b) an email address published for the time being by that person as an address for contacting that person, or (c) if no email address has been so provided or published, an email address by means of which the person serving or giving the document, notice or direction believes, on reasonable grounds, that it will come to the attention of that person.
(5B) A document, notice or direction sent to a person by email is, unless the contrary is proved, to be treated as having been served or given at 9am on the working day immediately following the day on which it was sent. (5C) In paragraph (5B) “working day” means a day other than a Saturday, a Sunday, Christmas Day, Good Friday or a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.