Citation and commencement

1.  These Regulations may be cited as the Network and Information Systems (EU Exit) (Amendment) Regulations 2021 and come into force twenty-eight days after the day on which they are made.

Extent and application

2.—(1) These Regulations extend to England and Wales, Scotland and Northern Ireland.

(2) These Regulations apply to—

(a)the United Kingdom, including its internal waters;

(b)the territorial sea adjacent to the United Kingdom(2); and

(c)the sea (including the seabed and subsoil) in any area designated under section 1(7) of the Continental Shelf Act 1964(3).

Amendment of the Network and Information Systems Regulations 2018

3.—(1) Regulation 12 of the Network and Information Systems Regulations 2018(4) (relevant digital service providers) is amended as follows.

(2) For paragraph (7)(b) substitute—

“(b)have regard to any relevant guidance published by the Information Commissioner.”.

Amendment of Commission Implementing Regulation (EU) 2018/151

4.—(1) Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact is amended as follows(5).

(2) In Article 2(5) for the words from “Pursuant to” to the end of the paragraph substitute “United Kingdom, European and internationally accepted standards and specifications relevant to the security of network and information systems may also be used.”.

(3) In Article 3(3) for “Member States of the EU” substitute “areas of the United Kingdom”.

(4) Omit Article 4.

These Regulations are made in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018 (c. 16) in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(d)) arising from the withdrawal of the United Kingdom from the European Union.

These Regulations amend both the retained EU law version of Commission Implementing Regulation (EU) 2018/151 and the Network and Information Systems Regulations 2018 (S.I. 2018/506) (which relate to securing network and information systems) by amending and removing certain criteria for managing and reporting cyber risks that apply to digital service providers where those criteria are no longer appropriate now that the United Kingdom has left the European Union. In particular, thresholds for reporting cyber incidents that were set by reference to the impact of the incident on the European Union’s population have been removed and these thresholds will instead be set in guidance.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sectors is foreseen.