Draft Regulations laid before Parliament under paragraph 1(1) of Schedule 7 to the European Union (Withdrawal) Act 2018, for approval by resolution of each House of Parliament.
Draft Statutory Instruments
2021 No. 000
Exiting The European Union
Electronic Communications
The Network and Information Systems (EU Exit) (Amendment) Regulations 2021
Made
***
Coming into force
***
The Secretary of State makes these Regulations in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018(1).
In accordance with paragraph 1(1) of Schedule 7 to that Act, a draft of this instrument has been laid before Parliament and approved by a resolution of each House of Parliament.
Citation and commencement
1. These Regulations may be cited as the Network and Information Systems (EU Exit) (Amendment) Regulations 2021 and come into force twenty-eight days after the day on which they are made.
Extent and application
2.—(1) These Regulations extend to England and Wales, Scotland and Northern Ireland.
(2) These Regulations apply to—
(a)the United Kingdom, including its internal waters;
(b)the territorial sea adjacent to the United Kingdom(2); and
(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964(3).
Amendment of the Network and Information Systems Regulations 2018
3.—(1) Regulation 12 of the Network and Information Systems Regulations 2018(4) (relevant digital service providers) is amended as follows.
(2) For paragraph (7)(b) substitute—
“(b)have regard to any relevant guidance published by the Information Commissioner.”.
Amendment of Commission Implementing Regulation (EU) 2018/151
4.—(1) Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact is amended as follows(5).
(2) In Article 2(5) for the words from “Pursuant to” to the end of the paragraph substitute “United Kingdom, European and internationally accepted standards and specifications relevant to the security of network and information systems may also be used.”.
(3) In Article 3(3) for “Member States of the EU” substitute “areas of the United Kingdom”.
(4) Omit Article 4.
Name
Title
Department for Digital, Culture, Media and Sport
Address
Date
EXPLANATORY NOTE
(This note is not part of the Regulations)
These Regulations are made in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018 (c. 16) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(d)) arising from the withdrawal of the United Kingdom from the European Union.
These Regulations amend both the retained EU law version of Commission Implementing Regulation (EU) 2018/151 and the Network and Information Systems Regulations 2018 (S.I. 2018/506) (which relate to securing network and information systems) by amending and removing certain criteria for managing and reporting cyber risks that apply to digital service providers where those criteria are no longer appropriate now that the United Kingdom has left the European Union. In particular, thresholds for reporting cyber incidents that were set by reference to the impact of the incident on the European Union’s population have been removed and these thresholds will instead be set in guidance.
A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sectors is foreseen.
2018 c. 16. Section 8 was amended by section 27 of the European Union (Withdrawal Agreement) Act 2020 (c. 1). Paragraph 21 of Schedule 7 was amended by the same Act, Schedule 5, paragraph 53.
Section 1(5) of the Territorial Sea Act 1987 (c. 49) has the effect that any reference to the territorial sea adjacent to the United Kingdom (UK) must be construed in accordance with that section and any provision made, or having effect as if made, under it. S.I. 1989/482 and 2014/1353 are Orders made under that section which set out some of the limits of the territorial sea adjacent to the UK.
1964 c. 29. Section 1(7) was amended by section 37 of, and paragraph 1 of Schedule 3 to, the Oil and Gas (Enterprise) Act 1982 (c. 23) and section 103 of the Energy Act 2011 (c. 16).
S.I. 2018/506, amended by S.I. 2018/629, 2019/653 and 2020/1245.
EUR 2018/151, amended by S.I. 2019/653.
- The Environmental Protection (Plastic Plates etc. and Polystyrene Containers etc.) (England) Regulations 2023
- The African Development Bank (Sixteenth Replenishment of the African Development Fund) Order 2023
- The Castle Point (Electoral Changes) Order 2023
- The Harlow (Electoral Changes) Order 2023
- The Electricity and Gas (Energy Company Obligation) Order 2023