Cyber Security and Resilience (Network and Information Systems) Bill — Bill 385 2024-26 (as amended in committee)

Cyber Security and Resilience (Network and
Information Systems) Bill
[AS AMENDED IN COMMITTEE]
CONTENTS
PART 1
INTRODUCTION
1 Meaning of “the NIS Regulations”
2 Overview of Act
PART 2
THE NIS REGULATIONS
CHAPTER 1
PERSONS REGULATED UNDER THE NIS REGULATIONS
Operators of essential services
3 Identification of operators of essential services
4 Data centres to be regulated as essential services
5 Operators of data centre services: Crown application etc
6 Designation of large load controllers as operators of an essential service
Providers of digital services
7 Digital services
8 Duties of relevant digital service providers
Providers of managed services
9 Managed service providers
10 Duties of managed service providers to manage risks
Persons subject to public authority oversight
11 Digital or managed service providers: meaning of “subject to public authority
oversight”
59/1 Bill 385

Critical suppliers
12 Critical suppliers
CHAPTER 2
PROVISION OF INFORMATION AND REPORTING OF INCIDENTS
Information to be provided by regulated persons
13 Provision of information by operators of data centre services
14 Provision of information by providers of digital or managed services etc
Reporting of incidents by regulated persons
15 Reporting of incidents by regulated persons
16 Notification of incidents to customers
CHAPTER 3
OTHER AMENDMENTS
Cost recovery
17 Powers to impose charges
Information sharing
18 Sharing and use of information under the NIS Regulations etc
Guidance
19 Guidance
Investigatory powers, enforcement and penalties
20 Powers to require information
21 Financial penalties
22 Enforcement and appeals
Other
23 Minor and consequential amendments etc
Cyber Security and Resilience (Network and Information Systems) Bill ii

PART 3
SECURITY AND RESILIENCE OF SYSTEMS: FUNCTIONS OF THE SECRETARY OF STATE
CHAPTER 1
INTRODUCTORY
24 Key definitions in Part 3
CHAPTER 2
STATEMENT OF STRATEGIC PRIORITIES ETC
25 Statement of strategic priorities etc
26 Consultation and procedure in relation to statement
27 Duties of regulatory authorities in relation to statement
28 Report by Secretary of State
CHAPTER 3
REGULATIONS ABOUT SECURITY AND RESILIENCE OF SYSTEMS
29 Regulations relating to security and resilience of network and information
systems
30 Imposition of requirements on regulated persons
31 Functions of regulatory authorities: enforcement, sanctions and appeals
32 Provision about financial penalties
33 Regulatory authorities and other persons: information, guidance and other
functions
34 Recovery of costs of regulatory authorities
35 Supplementary provision and interpretation
CHAPTER 4
CODE OF PRACTICE
36 Code of practice
37 Procedure for issue of code of practice
38 Effects of code of practice
39 Withdrawal of code of practice
CHAPTER 5
REPORT ON NETWORK AND INFORMATION SYSTEMS LEGISLATION
40 Report on network and information systems legislation
iii Cyber Security and Resilience (Network and Information Systems) Bill

CHAPTER 6
REGULATIONS UNDER PART 3
41 Regulations under section 24 or Chapter 3
42 Consultation and procedure
PART 4
DIRECTIONS FOR NATIONAL SECURITY PURPOSES
Directions to regulated persons
43 Directions to regulated persons
44 Compliance with directions under section 43 to take priority
Monitoring of compliance with directions
45 Monitoring by regulatory authorities
Information gathering and inspections
46 Information gathering
47 Inspections
Enforcement of requirements
48 Notification of contravention
49 Penalty amounts
50 Enforcement of notification
51 Enforcement of penalty
52 Enforcement of non-disclosure requirements
Directions to regulatory authorities
53 Power to direct regulatory authorities
General provision
54 Review, variation and revocation of directions
55 Laying before Parliament
56 Information sharing
57 Means of giving directions and notices
58 Interpretation of Part 4
PART 5
GENERAL
59 Extent
60 Commencement
61 Short title
Cyber Security and Resilience (Network and Information Systems) Bill iv

Enforcement and appeals Schedule 1 —
Minor and consequential amendments etc Schedule 2 —
v Cyber Security and Resilience (Network and Information Systems) Bill

[AS AMENDED IN COMMITTEE]
A
BILL
TO
Make provision, including provision amending the Network and Information
Systems Regulations 2018, about the security and resilience of network and
information systems used or relied on in connection with the carrying on of
essential activities.
B
E IT ENACTED by the King’s most Excellent Majesty, by and with the advice and
consent of the Lords Spiritual and Temporal, and Commons, in this present
Parliament assembled, and by the authority of the same, as follows:—
PART 1
INTRODUCTION
1 Meaning of “the NIS Regulations”
5
In this Act, “the NIS Regulations” means the Network and Information Systems
Regulations 2018 (S.I. 2018/506).
2 Overview of Act
(1) Part 2 of this Act contains amendments to the NIS Regulations.
(2) Those amendments include amendments—
(a)
10
extending the application of the NIS Regulations to persons providing
data centres, persons providing services relating to load control, and
persons providing managed services;
(b) providing for the designation of persons as critical suppliers in relation
to persons regulated by the NIS Regulations;
(c) relating to the reporting of incidents;
15(d) relating to the recovery of costs, the sharing and gathering of
information, and enforcement.
(3) Part 3 of this Act contains provision conferring powers on the Secretary of
State—
(a)
20
to specify activities to be regulated and to designate regulatory
authorities to carry out that regulation (see Chapter 1 of that Part);
59/1 Bill 385
1 Cyber Security and Resilience (Network and Information Systems) Bill
Part 1—Introduction

(b) to designate a statement of strategic priorities in relation to the security
and resilience of network and information systems which are used or
relied on in connection with the carrying on of essential activities (see
Chapter 2 of that Part);
5(c) to make regulations relating to the security and resilience of network
and information systems which are used or relied on in connection
with the carrying on of essential activities (see Chapter 3 of that Part);
(d) to issue a code of practice for persons with duties under regulations
10
made under Chapter 3 of that Part or under the NIS Regulations (see
Chapter 4 of that Part).
(4) Chapter 5 of Part 3 requires the Secretary of State to report on legislation
relating to the security and resilience of network and information systems.
(5) Part 4 confers powers on the Secretary of State to give directions to regulated
15
persons and regulatory authorities where threats relating to network and
information systems pose a risk to national security.
PART 2
THE NIS REGULATIONS
CHAPTER 1
PERSONS REGULATED UNDER THE NIS REGULATIONS
20Operators of essential services
3 Identification of operators of essential services
(1) Regulation 8 of the NIS Regulations (identification of operators of essential
services) is amended as follows.
(2) After paragraph (1) insert—
25“(1ZA) Paragraph (1) applies to a person whether or not the person is
established in the United Kingdom.”
(3) For paragraph (1A) substitute—
“(1A) Paragraph (1) does not apply to a person in relation to the provision
30
by the person of a public electronic communications network or a public
electronic communications service (in each case as defined by section 151(1)
of the Communications Act 2003).”
(4) After paragraph (3) insert—
“(3A) A person may be designated under paragraph (3) whether or not the
person is established in the United Kingdom.”
Cyber Security and Resilience (Network and Information Systems) Bill 2
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

4 Data centres to be regulated as essential services
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry
relating to digital infrastructure insert—
5The Office of Communications
(United Kingdom)”.
5
6
Data
infrastructure
5
6
“Data
infrastructure
(3) In Schedule 2 (essential services and threshold requirements), after paragraph
10 insert—
“The data infrastructure subsector
1011.—(1) This paragraph describes the threshold requirements which apply
to specified kinds of essential services in the data infrastructure subsector.
(2) For the essential service of the provision of a data centre service in the
United Kingdom, otherwise than on an enterprise basis, the threshold
15
requirement is that the rated IT load of the data centre is equal to or greater
than 1 megawatt.
(3) For the essential service of the provision of a data centre service in the
United Kingdom on an enterprise basis, the threshold requirement is that the
rated IT load of the data centre is equal to or greater than 10 megawatts.
20
(4) “Data centre service” means a service consisting of the provision of a
physical structure (a “data centre”) which—
(a) contains an area for the housing, connection and operation of relevant
IT equipment, and
(b) provides supporting infrastructure for or in connection with the
operation of relevant IT equipment.
25(5) “Relevant IT equipment” means equipment used for the purposes of
providing information technology services.
(6) “Supporting infrastructure” means one or more of the following—
(a) infrastructure for the supply of electricity;
(b) infrastructure for environmental control;
30(c) infrastructure to ensure the security of the data centre and of relevant
IT equipment in the data centre;
(d) infrastructure to ensure the resilience of the data centre and of relevant
IT equipment in the data centre.
(7) A data centre service is provided on an enterprise basis if—
35(a) the data centre is owned or managed by a person in connection with
the carrying on of an undertaking by the person, and
(b) the sole purpose of the data centre is to provide information
technology services for that undertaking.
(8) In this paragraph—
3 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(a) “environmental control” includes heating, ventilation, air conditioning
and control of matters such as airborne dust, humidity and flames;
(b) the “rated IT load” of a data centre is the maximum electrical power
5
available for the operation of relevant IT equipment housed in the
data centre;
(c) “structure” includes a building or part of a building, and references
to a structure include references to a group of structures.”
5 Operators of data centre services: Crown application etc
10
In regulation 8 of the NIS Regulations (identification of operators of essential
services), before paragraph (7A) insert—
“(7ZA) Subject to paragraph (7ZB), paragraphs (1) and (3) apply in relation
to the provision of an essential service of a kind referred to in paragraph
11(2) or (3) of Schedule 2 (a “data centre service”) by or on behalf of the
Crown.
15(7ZB) Paragraphs (1) and (3) do not apply in relation to the provision of a
data centre service by or on behalf of the Crown—
(a) where the person providing the service is the Security Service, the
Secret Intelligence Service or GCHQ, or
(b) to the extent that the service—
20(i) is provided by a person on a commercial basis on behalf of His
Majesty’s Government, and
(ii) is provided for the purpose of enabling the storage, processing
or transmission of information or other material which is classified
25
as “secret” or “top secret” in accordance with the policy of His
Majesty’s Government on security classification of documents.”
6 Designation of large load controllers as operators of an essential service
(1) Paragraph 1 of Schedule 2 to the NIS Regulations (essential services and
threshold requirements: electricity subsector) is amended as follows.
(2) After sub-paragraph (5) insert—
30“(5A) For the essential service of load control, the threshold requirement in
the United Kingdom is a load controller whose potential electrical control, in
relation to relevant ESAs managed by the controller, is equal to or greater
than 300 megawatts.
35
(5B) For the purposes of sub-paragraph (5A), a load controller’s potential
electrical control, in relation to relevant ESAs managed by it, is the aggregate
of—
(a) the maximum flow of electricity into all of those relevant ESAs (taken
together), and
Cyber Security and Resilience (Network and Information Systems) Bill 4
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(b) the maximum flow of electricity out of all of those relevant ESAs
(taken together),
which is capable of being achieved in response to load control signals sent
by the load controller.
5(5C) For the purposes of this paragraph—
(a) “relevant ESA” means an energy smart appliance (as defined by
section 238(2) of the Energy Act 2023) which is any of the following—
(i) an electric vehicle;
(ii) a charge point (for electric vehicles);
10(iii) an electrical heating appliance;
(iv) a battery energy storage system;
(v) a virtual power plant;
(b) a relevant ESA is “managed” by a person if the person controls the
15
flow of electricity into and out of the relevant ESA by way of load
control signals sent by the person to the relevant ESA;
(c) the maximum flow of electricity into or out of a particular relevant
ESA is to be determined by reference to the electrical capacity of the
relevant ESA as stated by the manufacturer of the relevant ESA.
20
(5D) Where load control signals are sent to a relevant ESA by a person (an
“intermediary”) acting under the direction of or on behalf of a load controller,
that relevant ESA is to be treated for the purposes of this paragraph as
managed by the load controller (and not by the intermediary) unless
sub-paragraph (5E) applies.
25
(5E) Where the intermediary is capable of adjusting or processing the load
control signals sent to a relevant ESA, and is authorised by the load controller
to do so—
(a) the relevant ESA is to be treated for the purposes of this paragraph
as managed by both the load controller and the intermediary, and
(b)
30
the intermediary is also to be treated for those purposes as a load
controller.”
(3) In sub-paragraph (8)—
(a) after paragraph (a) insert—
“(aa) “charge point” has the same meaning as in Part 2 of the
35
Automated and Electric Vehicles Act 2018 (see section 9 of
that Act);”;
(b) after paragraph (c) insert—
“(ca) “electric vehicle” means a vehicle which is capable of being
propelled by electrical power derived from a storage battery;
(cb) “electrical heating appliance” means any of the following—
40(i) a hydronic heat pump;
(ii) a hot water heat pump;
5 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(iii) a hybrid heat pump;
(iv) a direct electric hot water cylinder;
(v) an electric storage heater;
(vi) a heat battery;”;
5(c) after paragraph (g) insert—
“(ga) “load control” and “load control signal” have the same
meaning as in Part 9 of the Energy Act 2023 (see section 238
of that Act), and “load controller” means a person which
provides the service of load control;”.
10Providers of digital services
7 Digital services
(1) Regulation 1 of the NIS Regulations (interpretation etc) is amended as follows.
(2) Paragraph (2) is amended in accordance with subsections (3) to (6).
(3) For the definition of “cloud computing service” substitute—
15““cloud computing service” means a digital service—
(a) which enables access to a scalable and elastic pool of shareable
computing resources (such as networks, servers, software and
storage) where—
(i) there is broad remote access to the service,
20(ii) the service is capable of being provided on demand and
on a self-service basis,
(iii) the pool of computing resources may be distributed across
two or more locations, and
(iv)
25
the service is not provided by a person solely for use for
the purposes of a business or other activity carried on for
that person, and
(b) which is not a managed service;”.
(4) Omit the definitions of “digital service” and “digital service provider”.
(5) After the definition of “online search engine” insert—
30““relevant digital service” means an online marketplace, an online search
engine or a cloud computing service;”.
(6) In the definition of “representative”, for “a digital service provider” substitute
“an RDSP”.
(7) After paragraph (2) insert—
35“(2A) For the purposes of the definition of “cloud computing service” in
paragraph (2)—
Cyber Security and Resilience (Network and Information Systems) Bill 6
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

“broad remote access” means the ability to access and use the service
from any authorised location or facility, by means of any capable
device or platform (including a computer or mobile device);
(a)
(b)
5
a pool of computing resources is “scalable” if the resources are flexibly
allocated by the provider of the service, irrespective of the
geographical location of the resources, in order to handle fluctuations
in demand;
(c) a pool of computing resources is “elastic” if the resources are provided
10
and released according to demand, in order to rapidly increase and
decrease available resources depending on workload;
(d) computing resources are “shareable” if—
(i) multiple users share a common access to the service, which is
provided from the same electronic equipment, and
(ii) processing is carried out separately for each user.”
15(8) In paragraph (3), for sub-paragraph (e) substitute—
“(e) a “relevant digital service provider” (“RDSP”) is a reference to a
person which—
(i) provides a relevant digital service in the United Kingdom
(whether or not the person is established in the United Kingdom),
20(ii) is not designated under regulation 14H in relation to the provision
of that service,
(iii) is not a micro or small enterprise as defined in Commission
Recommendation 2003/361/EC, and
(iv) either—
25(aa) is not subject to public authority oversight, or
(bb) is subject to public authority oversight but derives more
than half of its income from activities of a commercial
nature;”.
(9) After paragraph (3) insert—
30“(3A) A person does not provide a relevant digital service by virtue of
providing a public electronic communications network or a public electronic
communications service (in each case as defined by section 151(1) of the
Communications Act 2003).”
8 Duties of relevant digital service providers
35(1) Regulation 12 of the NIS Regulations (relevant digital service providers) is
amended as follows.
(2) In paragraph (2)—
(a) in sub-paragraph (b), for “their network and information systems with
1
a view to ensuring the continuity of those services” substitute “the
7 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

security of network and information systems referred to in paragraph
(1)”;
(b) omit sub-paragraph (c) (together with the “and” at the end of
sub-paragraph (b)).
5(3) After paragraph (2) insert—
“(2A) An RDSP must have regard to any relevant guidance issued by the
Information Commission when carrying out the duties imposed on it by
paragraph (1).”
Providers of managed services
109 Managed service providers
(1) The NIS Regulations are amended as follows.
(2) Regulation 1 (interpretation etc) is amended in accordance with subsections
(3) to (5).
(3) In paragraph (2), after the definition of “incident” insert—
15““managed service” has the meaning given by paragraph (3B);”.
(4) In paragraph (3), after sub-paragraph (e) insert—
“(ea) a “relevant managed service provider” (“RMSP”) is a reference to a
person which—
(i)
20
provides a managed service in the United Kingdom (whether or
not the person is established in the United Kingdom),
(ii) is not designated under regulation 14H in relation to the provision
of that service,
(iii) is not a micro or small enterprise as defined in Commission
Recommendation 2003/361/EC, and
25(iv) either—
(aa) is not subject to public authority oversight, or
(bb) is subject to public authority oversight but derives more
than half its income from activities of a commercial
nature;”.
30(5) After paragraph (3A) (inserted by section 7(9)) insert—
“(3B) “Managed service” means a service which—
(a) is provided by a person (“P”) under a contract entered into by P and
another person (“the customer”) for the provision of ongoing
35
management of information technology systems for the customer
(whether in the form of support and maintenance, monitoring, active
administration or other activities), and
Cyber Security and Resilience (Network and Information Systems) Bill 8
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(b) is provided to the customer by means of P, or a person acting on P’s
behalf, connecting to or otherwise obtaining access to network and
information systems relied on by the customer in connection with a
business or other activity carried on by the customer.
5(3C) For the purposes of paragraph (3B)(b), it does not matter whether the
connection or access to the network and information systems in question is
established or obtained on the customer’s premises or remotely.
(3D) A person does not provide a managed service by virtue of providing—
(a)
10
a data centre service (as defined by paragraph 11(4) of Schedule 2),
or
(b) a public electronic communications network or a public electronic
communications service (in each case as defined by section 151(1) of
the Communications Act 2003).”
(6)
15
Regulation 3 (designation of competent authorities) is amended in accordance
with subsections (7) and (8).
(7) In paragraph (2), after “RDSPs” insert “and for RMSPs”.
(8) In paragraph (4)—
(a) after “In relation to” insert “relevant”;
(b) after “services” insert “and managed services”.
2010 Duties of managed service providers to manage risks
After regulation 14A of the NIS Regulations insert—
“PART 4A
Relevant managed service providers
RMSPs: duties to manage risks to network and information systems
2514B.—(1) An RMSP must identify and take appropriate and proportionate
measures to manage the risks posed to the security of network and information
systems on which it relies for the purpose of providing managed services
within the United Kingdom.
(2) The measures taken by an RMSP under paragraph (1) must—
30(a) (having regard to the state of the art) ensure a level of security of
network and information systems appropriate to the risk posed, and
(b) prevent and minimise the impact of incidents affecting the security
of network and information systems referred to in paragraph (1).
35
(3) An RMSP must have regard to any relevant guidance issued by the
Information Commission when carrying out the duties imposed on it by
paragraph (1).”
9 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

Persons subject to public authority oversight
11 Digital or managed service providers: meaning of “subject to public authority
oversight”
5
In regulation 1 of the NIS Regulations, after paragraph (3D) (inserted by
section 9(5)) insert—
“(3E) For the purposes of paragraph (3)(e) and (ea), a person is subject to
public authority oversight if the person is subject to the management or
control of—
(a) one or more UK public authorities, or
10(b) a board more than half of the members of which are appointed by
one or more UK public authorities.
In this paragraph, “UK public authority” means a person exercising functions
of a public nature in the United Kingdom.”
Critical suppliers
1512 Critical suppliers
(1) The NIS Regulations are amended as follows.
(2) In regulation 1(2) (interpretation etc), after the definition of “Cooperation
Group” insert—
20
““critical supplier” means a person for the time being designated under
regulation 14H;”.
(3) After regulation 14G (inserted by section 16(4) below) insert—
“PART 4B
Critical suppliers
Designation of critical suppliers
2514H.—(1) A designated competent authority may designate a person (“P”)
under this regulation if—
(a) P supplies goods or services directly to an OES for which the authority
is the designated competent authority,
(b)
30
P relies on network and information systems for the purposes of that
supply,
(c) the designated competent authority considers that—
(i) an incident affecting the operation or security of any network
and information system relied on by P for the purposes of that
supply has the potential to cause disruption to—
Cyber Security and Resilience (Network and Information Systems) Bill 10
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(aa) the provision of any essential service by the person to
which the supply is made, or
(bb) the provision of essential services, relevant digital
5
services or managed services (whether of a particular
kind or generally) by persons to which P supplies goods
or services, and
(ii) any such disruption is likely to have a significant impact on the
economy or the day-to-day functioning of society in the whole
or any part of the United Kingdom, and
10(d) the designation is not prevented by regulation 14I.
(2) The Information Commission may designate a person (“P”) under this
regulation if—
(a) P supplies goods or services directly to an RDSP or an RMSP,
(b)
15
P relies on network and information systems for the purposes of that
supply,
(c) the Information Commission considers that—
(i) an incident affecting the operation or security of any network
and information system relied on by P for the purposes of that
supply has the potential to cause disruption to—
20(aa) the provision of any relevant digital service or managed
service by the person to which the supply is made, or
(bb) the provision of essential services, relevant digital
services or managed services (whether of a particular
25
kind or generally) by persons to which P supplies goods
or services, and
(ii) any such disruption is likely to have a significant impact on the
economy or the day-to-day functioning of society in the whole
or any part of the United Kingdom, and
(d) the designation is not prevented by regulation 14I.
30(3) In reaching a conclusion for the purposes of paragraph (1)(c)(i) or (2)(c)(i),
a designated competent authority or the Information Commission must, in
particular, have regard to whether the OES, RDSP or RMSP to which the
supply is made by P is likely to be able to obtain the goods or services
35
mentioned in paragraph (1)(a) or (2)(a) (as the case may be) from an alternative
source in the event of any such incident.
(4) In reaching a conclusion for the purposes of paragraph (1)(c)(ii) or
(2)(c)(ii), a designated competent authority or the Information Commission
must, in particular, have regard to the likely nature, scale and duration of
40
the potential disruption to the provision of the service or services (as the case
may be).
(5) A person may be designated under this regulation—
(a) by more than one designated competent authority;
11 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(b) by one or more designated competent authorities and the Information
Commission.
(6) In considering whether to designate a person (“P”) under this regulation,
5
a designated competent authority or the Information Commission must, in
particular, consider—
(a) whether the risks that relate to P’s supply of goods or services to an
OES, an RDSP or an RMSP (as the case may be) could, if the
designation were not made, be adequately managed through the
duties imposed on that OES, RDSP or RMSP by these Regulations;
10(b) whether another person exercises regulatory functions in relation to
P (whether or not under these Regulations) and, if so, whether that
is likely to be adequate for the management of those risks.
(7) A person may be designated under this regulation whether or not the
person is established in the United Kingdom.
15(8) In this regulation, references to the supply of goods or services include
the supply of goods or services outside the United Kingdom (as well as within
it).
Restrictions on designation
14I. A person may not be designated under regulation 14H—
20(a) in relation to the provision of an essential service for a subsector for
which the person is deemed to be designated under regulation 8(1)
or (2A) or is designated under regulation 8(3),
(b) in relation to the provision of a relevant digital service by virtue of
which the person is an RDSP, or
25(c) in relation to the provision of a managed service by virtue of which
the person is an RMSP.
Designation: consultation and procedure
14J.—(1) Before designating a person (“P”) under regulation 14H, a
designated competent authority or the Information Commission must—
30(a) consult the persons mentioned in paragraph (2) in relation to the
proposed designation,
(b) give notice in writing to P which—
(i) provides reasons for the proposed designation, and
(ii)
35
specifies a reasonable period within which P may make written
representations about the proposed designation, and
(c) have regard to any representations made to it in accordance with
sub-paragraph (b)(ii).
(2) The persons to be consulted under paragraph (1)(a) are—
(a)
40
in the case of a proposed designation by a designated competent
authority (“the consulting authority”)—
Cyber Security and Resilience (Network and Information Systems) Bill 12
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(i) any other designated competent authority which the consulting
authority considers has a relevant connection with P, and
(ii) the Information Commission, if the consulting authority considers
5
that the Information Commission has a relevant connection with
P,
(b) in the case of a proposed designation by the Information Commission,
any designated competent authority which the Information
Commission considers has a relevant connection with P, and
(c)
10
in any case, such other persons as the designated competent authority
or the Information Commission (as the case may be) considers
appropriate.
(3) For the purposes of paragraph (2)(b)—
(a) a designated competent authority has a relevant connection with P
if—
15(i) P is for the time being designated by that authority under
regulation 14H, or
(ii) the authority is the designated competent authority for an OES
to which P supplies goods or services directly;
(b) the Information Commission has a relevant connection with P if—
20(i) P is for the time being designated by the Information Commission
under regulation 14H, or
(ii) P supplies goods or services directly to an RDSP or an RMSP.
(4) Paragraph (5) applies where, after complying with paragraph (1) in
25
relation to a person, a designated competent authority or the Information
Commission decides to designate the person under regulation 14H.
(5) The designated competent authority or the Information Commission (as
the case may be) must—
(a) give the person a notice confirming the decision, setting out—
(i) the reasons for the decision, and
30(ii) the date on which the designation takes effect, and
(b) give a copy of the notice to the persons consulted under paragraph
(1)(a).
(6) A designated competent authority or the Information Commission may
35
provide for the date from which a designation under regulation 14H made
by it has effect to be a date later than the date set out in the notice under
paragraph (5)(a) by giving notice of the new date to all persons to which the
original notice was given.
Revocation of designation
40
14K.—(1) Where a designated competent authority has designated a person
1
under regulation 14H, the authority may revoke the designation if it considers
13 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

that sub-paragraphs (a) to (d) of regulation 14H(1) are not met in relation to
the person.
(2) Where the Information Commission has designated a person under
5
regulation 14H, the Information Commission may revoke the designation if
it considers that sub-paragraphs (a) to (d) of regulation 14H(2) are not met
in relation to the person.
(3) Where a person (“P”) for the time being designated under regulation
14H by a designated competent authority has reasonable grounds to believe
10
that if P were not already designated by that authority, the authority would
not be able to designate P under regulation 14H, P must, as soon as
practicable—
(a) notify the authority of that belief in writing, providing evidence in
support of that belief, and
(b)
15
where P believes that their designation would be prevented by
regulation 14I(b) or (c), also notify the Information Commission.
(4) Where a designated competent authority receives a notification and
supporting evidence under paragraph (3)(a) from a person, it must have
regard to the notification and evidence in considering whether to revoke the
person’s designation under regulation 14H.
20(5) Where a person (“P”) for the time being designated under regulation
14H by the Information Commission has reasonable grounds to believe that
if P were not already designated by the Information Commission, the
Information Commission would not be able to designate P under regulation
25
14H, P must, as soon as practicable, notify the Information Commission of
that belief in writing, providing evidence in support of that belief.
(6) Where the Information Commission receives a notification and supporting
evidence under paragraph (5) from a person, it must have regard to the
notification and evidence in considering whether to revoke the person’s
designation under regulation 14H.
30(7) Regulation 14J (consultation and procedure) applies in relation to the
revocation of a person’s designation under this regulation as it applies in
relation to the designation of a person under regulation 14H.
Co-ordination
35
14L.—(1) A designated competent authority by which a person (“P”) is for
the time being designated under regulation 14H must co-ordinate the exercise
of its functions under these Regulations in relation to P with—
(a) any other designated competent authority by which P is for the time
being designated under regulation 14H, and
(b)
40
the Information Commission, where P is for the time being designated
under regulation 14H by the Information Commission.
(2) Where a person (“P”) is for the time being designated under regulation
14H by the Information Commission, the Information Commission must
1
co-ordinate the exercise of its functions under these Regulations in relation
Cyber Security and Resilience (Network and Information Systems) Bill 14
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

to P with any designated competent authority by which P is for the time
being designated under that regulation.
(3) The relevant regulators must co-ordinate the exercise of their functions
under these Regulations so far as those functions relate to determining—
5(a) whether a person meets the requirements for designation under
regulation 14H, and
(b) where a person meets those requirements—
(i) whether the person should be designated under regulation 14H,
and
10(ii) if so, by which one or more of the relevant regulators the
designation should be made.
(4) For the purposes of paragraph (3)—
(a) a designated competent authority is a relevant regulator in relation
to a person if—
15(i) the person is for the time being designated by that designated
competent authority, or
(ii) it is reasonable to assume that the person may meet the
requirements for designation under regulation 14H by that
designated competent authority;
20(b) the Information Commission is a relevant regulator in relation to a
person if—
(i) the person is for the time being designated by the Information
Commission, or
(ii)
25
it is reasonable to assume that the person may meet the
requirements for designation under regulation 14H by the
Information Commission.
(5) In complying with a duty under any of paragraphs (1) to (3), the
designated competent authority or the Information Commission (as the case
30
may be) must exercise its power under regulation 15 to request information
from any person with which it is required to co-ordinate if the designated
competent authority or the Information Commission considers that the person
may be expected to have information that is relevant to the duty in question.
(6) A duty imposed by any of paragraphs (1) to (3) does not apply to the
35
extent that compliance with the duty would impose a burden on the
designated competent authority or the Information Commission (as the case
may be) that is disproportionate to the benefits of compliance.
(7) Nothing in this regulation limits or otherwise affects the application of
the consultation and co-operation duties that apply—
(a) to a designated competent authority under regulation 3(3)(g), and
40(b) to the Information Commission under regulation 3(4)(c).
(8) For the purposes of this regulation, a person meets the requirements for
designation under regulation 14H if—
15 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 1—Persons regulated under the NIS Regulations

(a) sub-paragraphs (a) to (d) of regulation 14H(1) are met in relation to
the person, or
(b) sub-paragraphs (a) to (d) of regulation 14H(2) are met in relation to
the person.”
5CHAPTER 2
PROVISION OF INFORMATION AND REPORTING OF INCIDENTS
Information to be provided by regulated persons
13 Provision of information by operators of data centre services
(1) The NIS Regulations are amended as follows.
10(2) After regulation 8 insert—
“Operators of data centre services: information to be provided in connection
with designation
8ZA.—(1) This regulation applies to a person which—
(a)
15
is deemed to be designated under regulation 8(1) as an OES for the
data infrastructure subsector in relation to the provision of a data
centre service, or
(b) is designated under regulation 8(3) as an OES for the data
infrastructure subsector in relation to the provision of a data centre
service.
20(2) The person must, before the end of the relevant 3-month period, provide
the information listed in paragraph (3) to the designated competent authority
for the purpose of enabling the authority to maintain the list mentioned in
regulation 8(8).
(3) The information is—
25(a) the person’s name;
(b) the person’s proper address;
(c) where the person is a body corporate, the names of the directors of
that body;
(d)
30
where the person is a partnership (including a Scottish partnership),
the names of the partners or persons having control or management
of the partnership business;
(e) up-to-date contact details (including email addresses and telephone
numbers).
35
(4) “The relevant 3-month period” is the period of 3 months beginning
with—
Cyber Security and Resilience (Network and Information Systems) Bill 16
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(a) where the person is deemed to be designated as mentioned in
paragraph (1)(a), the first day on which the person was deemed to
be so designated;
(b)
5
where the person is designated as mentioned in paragraph (1)(b), the
day on which the notice under regulation 8(5) was served on the
person in relation to the designation.
(5) For the purposes of paragraph (3)(b), a person’s “proper address” is—
(a) where the person is a body corporate, the address of the registered
or principal office of that body;
10(b) where the person is a partnership (including a Scottish partnership),
the address of the principal office of the partnership;
(c) in any other case, the address where the person will accept service
of documents for the purposes of these Regulations.
15
(6) The person must notify the designated competent authority in writing
of any change to the information listed in paragraph (3) as soon as reasonably
practicable, and in any event before the end of the period of 7 days beginning
with the day on which the change took effect.
(7) In this regulation, “data centre service” means an essential service of a
kind referred to in paragraph 11(2) or (3) of Schedule 2.”
20(3) In regulation 8A (nomination by an OES of a person to act on its behalf in
the United Kingdom), in paragraph (1)(a)—
(a) for “and 10” substitute “, 10 and 11”, and
(b) for “or digital” substitute “, digital or data”.
14 Provision of information by providers of digital or managed services etc
25(1) The NIS Regulations are amended as follows.
(2) In regulation 14 (registration with the Information Commission)—
(a) in paragraph (2), for sub-paragraph (b) substitute—
“(b) the RDSP’s proper address;
(ba)
30
where the RDSP is a body corporate, the names of the
directors of that body;
(bb) where the RDSP is a partnership (including a Scottish
partnership), the names of the partners or persons having
control or management of the partnership business;
(bc) which relevant digital services the RDSP provides;”;
35(b) after paragraph (2) insert—
“(2A) For the purposes of paragraph (2)(b), an RDSP’s “proper
address” is—
(a) where the RDSP is a body corporate, the address of the
registered or principal office of that body;
17 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(b) where the RDSP is a partnership (including a Scottish
partnership), the address of the principal office of the
partnership;
(c)
5
in any other case, the address where the RDSP will accept
service of documents for the purposes of these Regulations.”;
(c) in paragraph (3), for the words from “as soon as possible” to the end
substitute “as soon as reasonably practicable, and in any event before
the end of the period of 7 days beginning with the day on which the
change took effect.”;
10(d) for paragraph (4) substitute—
“(4) In this regulation, “the registration date” means—
(a) where the conditions mentioned in regulation 1(3)(e) are
satisfied in respect of an RDSP on the day on which section
15
14 of the Cyber Security and Resilience (Network and
Information Systems) Act 2026 comes into force, the date on
which the period of 3 months beginning with that day ends;
(b) in any other case, the date on which the period of 3 months
beginning with the day on which the conditions mentioned
20
in regulation 1(3)(e) are first satisfied in respect of the RDSP
ends.”;
(e) after that paragraph insert—
“(5) The Information Commission must send a copy of the register
maintained under paragraph (1) to GCHQ for the purpose of
25
facilitating the exercise by GCHQ of any of its functions under or by
virtue of these Regulations or any other enactment—
(a) before the end of the period of 4 months beginning with the
day on which section 14 of the Cyber Security and Resilience
(Network and Information Systems) Act 2026 comes into force,
and
30(b) subsequently, at annual intervals.”
(3) Regulation 14A (representatives of digital service providers established outside
the United Kingdom) is amended in accordance with subsections (4) to (8).
(4) For paragraph (1) substitute—
35
“(1) This regulation applies to an RDSP which has its principal office outside
the United Kingdom.”
(5) In paragraph (2)—
(a) for “digital service provider” substitute “RDSP”;
(b) in sub-paragraph (b), after “representative” insert “(including an email
address and telephone number)”.
Cyber Security and Resilience (Network and Information Systems) Bill 18
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(6) For paragraphs (3) and (4) substitute—
“(3) The RDSP must comply with paragraph (2)—
(a) where this regulation applies to the RDSP on the day on which section
5
14 of the Cyber Security and Resilience (Network and Information
Systems) Act 2026 comes into force, before the end of the period of
3 months beginning with that day;
(b) in any other case, before the end of the period of 3 months beginning
with the day on which the RDSP becomes an RDSP to which this
10
regulation applies (whether for the first time or on a subsequent
occasion).
(3A) The RDSP must notify the Information Commission of any change to
the information notified under paragraph (2) as soon as reasonably practicable,
and in any event before the end of the period of 7 days beginning with—
(a)
15
where the change is to the representative nominated, the day on
which the change took effect;
(b) where the change is to the representative’s name or contact details,
the day on which the RDSP became aware of the change.
(4) The Information Commission or GCHQ may, for the purposes of carrying
20
out their functions under these Regulations, contact the representative instead
of or in addition to the RDSP.”
(7) In paragraph (5)—
(a) for “paragraph (1)” substitute “paragraph (2)”;
(b) for “digital service provider” substitute “RDSP”.
(8) In the heading, for “digital service providers” substitute “RDSPs”.
25(9) After regulation 14B (inserted by section 10) insert—
“Registration of RMSPs with the Information Commission
14C.—(1) The Information Commission must maintain a register of all RMSPs
that have been notified to it.
30
(2) An RMSP must submit the following details to the Information
Commission before the registration date for the purpose of enabling the
Commission to maintain the register under paragraph (1)—
(a) the name of the RMSP;
(b) the RMSP’s proper address;
(c)
35
where the RMSP is a body corporate, the names of the directors of
that body;
(d) where the RMSP is a partnership (including a Scottish partnership),
the names of the partners or persons having control or management
of the partnership business;
(e)
40
up-to-date contact details (including email addresses and telephone
numbers).
19 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(3) For the purposes of paragraph (2)(b), an RMSP’s “proper address” is—
(a) where the RMSP is a body corporate, the address of the registered
or principal office of that body;
(b)
5
where the RMSP is a partnership (including a Scottish partnership),
the address of the principal office of the partnership;
(c) in any other case, the address where the RMSP will accept service of
documents for the purposes of these Regulations.
(4) “The registration date” means—
(a)
10
where the conditions mentioned in regulation 1(3)(ea) are satisfied
in respect of an RMSP on the day on which section 14 of the Cyber
Security and Resilience (Network and Information Systems) Act 2026
comes into force, the date on which the period of 3 months beginning
with that day ends;
(b)
15
in any other case, the date on which the period of 3 months beginning
with the day on which the conditions mentioned in regulation 1(3)(ea)
are first satisfied in respect of the RMSP ends.
(5) An RMSP must notify the Information Commission in writing of any
change to the information listed in paragraph (2) as soon as reasonably
20
practicable, and in any event before the end of the period of 7 days beginning
with the day on which the change took effect.
(6) The Information Commission must send a copy of the register maintained
under paragraph (1) to GCHQ for the purpose of facilitating the exercise by
GCHQ of any of its functions under or by virtue of these Regulations or any
other enactment—
25(a) before the end of the period of 4 months beginning with the day on
which section 14 of the Cyber Security and Resilience (Network and
Information Systems) Act 2026 comes into force, and
(b) subsequently, at annual intervals.
Representatives of RMSPs established outside the United Kingdom
3014D.—(1) This regulation applies to an RMSP which has its principal office
outside the United Kingdom.
(2) The RMSP must—
(a) nominate in writing a representative in the United Kingdom, and
(b)
35
notify the Information Commission of the representative’s name and
contact details (including an email address and telephone number).
(3) The RMSP must comply with paragraph (2)—
(a) where this regulation applies to the RMSP on the day on which section
14 of the Cyber Security and Resilience (Network and Information
40
Systems) Act 2026 comes into force, before the end of the period of
3 months beginning with that day;
(b) in any other case, before the end of the period of 3 months beginning
1
with the day on which the RMSP becomes an RMSP to which this
Cyber Security and Resilience (Network and Information Systems) Bill 20
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

regulation applies (whether for the first time or on a subsequent
occasion).
(4) The RMSP must notify the Information Commission of any change to
5
the information notified under paragraph (2) as soon as reasonably practicable,
and in any event before the end of the period of 7 days beginning with—
(a) where the change is to the representative nominated, the day on
which the change took effect;
(b) where the change is to the representative’s name or contact details,
the day on which the RMSP became aware of the change.
10(5) The Information Commission or GCHQ may, for the purposes of carrying
out their functions under these Regulations, contact the representative instead
of or in addition to the RMSP.
(6) A nomination under paragraph (2) is without prejudice to any legal
action which could be initiated against the RMSP in question.”
15Reporting of incidents by regulated persons
15 Reporting of incidents by regulated persons
(1) The NIS Regulations are amended as follows.
(2) In regulation 1(2) (interpretation), in the definition of “incident”—
(a) for “an actual” substitute “, or capable of having, an”;
20(b) after “on the” insert “operation or”.
(3) For regulation 11 substitute—
“Notification of incidents (other than in relation to data centre services)
11.—(1) This regulation applies to an OES, except so far as it provides an
25
essential service of a kind referred to in paragraph 11(2) or (3) of Schedule 2
(data centre services).
(2) If the OES is aware that an OES incident has occurred or is occurring,
it must give the designated competent authority for the OES—
(a) an initial notification containing—
(i)
30
the OES’s name and the essential service to which the incident
relates, and
(ii) brief details of the incident, and
(b) a full notification containing the information listed in paragraph (5)
in relation to the incident, so far as known to the OES.
(3) For the purposes of this regulation, an incident is an “OES incident” if—
35(a) the incident has affected or is affecting the operation or security of
the network and information systems relied on to provide the essential
service provided by the OES, and
21 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(b) the impact of the incident in the United Kingdom or any part of it
has been, is or is likely to be significant having regard to the factors
listed in paragraph (4).
(4) The factors referred to in paragraph (3)(b) are—
5(a) the extent of any disruption which has occurred, is occurring or is
likely to occur in relation to the provision of the essential service
provided by the OES;
(b) the number of users which have been affected, are being affected or
are likely to be affected;
10(c) the duration of the incident;
(d) the geographical area which has been affected, is being affected or is
likely to be affected by the incident;
(e) whether the confidentiality, authenticity, integrity or availability of
15
data relating to users of the essential service has been, is being or is
likely to be compromised.
(5) The information referred to in paragraph (2)(b) is—
(a) the OES’s name and the essential service to which the incident relates;
(b) the time the incident occurred, its duration and whether it is ongoing;
(c) information concerning the nature of the incident;
20(d) where the incident was caused by a separate incident affecting another
regulated person, details of that separate incident and of the regulated
person in question;
(e) information concerning the impact (including any cross-border impact)
25
which the incident has had, is having or is likely to have (as the case
may be);
(f) such other information as the OES considers may assist the designated
competent authority in exercising its functions under regulation 11B
in relation to the incident.
(6) The notifications required by paragraph (2) must be given—
30(a) in the case of an initial notification, before the end of the period of
24 hours beginning with the time at which the OES is first aware that
an OES incident has occurred or is occurring;
(b) in the case of a full notification, before the end of the period of 72
hours beginning with that time.
35(7) A notification under paragraph (2) must be in writing, and must be
provided in such form and manner as the designated competent authority
determines.
(8) An OES must send a copy of a notification under paragraph (2) to the
40
CSIRT at the same time as sending the notification to the designated competent
authority for the OES.
(9) In this regulation and regulations 11A and 11B, “regulated person” means
an OES, an RDSP, an RMSP or a critical supplier.
Cyber Security and Resilience (Network and Information Systems) Bill 22
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

Notification of incidents in relation to data centre services
11A.—(1) This regulation applies to an OES so far as it provides an essential
service of a kind referred to in paragraph 11(2) or (3) of Schedule 2 (a “data
centre service”).
5(2) If the OES is aware that a data centre incident has occurred or is
occurring, it must give the designated competent authority for the OES—
(a) an initial notification containing—
(i) the OES’s name and the data centre service to which the incident
relates, and
10(ii) brief details of the incident, and
(b) a full notification containing the information listed in paragraph (4)
in relation to the incident, so far as known to the OES.
(3) In this regulation, “data centre incident” means an incident which could
have had, has had, is having or is likely to have—
15(a) a significant impact on the operation or security of the network and
information systems relied on to provide the data centre service
provided by the OES in the United Kingdom,
(b) a significant impact on the continuity of the data centre service
provided by the OES in the United Kingdom, or
20(c) any other impact, in the United Kingdom or any part of it, which is
significant.
(4) The information referred to in paragraph (2)(b) is—
(a) the OES’s name and the data centre service to which the incident
relates;
25(b) the time the incident occurred, its duration and whether it is ongoing;
(c) information concerning the nature of the incident;
(d) where the incident was caused by a separate incident affecting another
regulated person, details of that separate incident and of the regulated
person in question;
30(e) information concerning the impact (including any cross-border impact)
which the incident could have had, has had, is having or is likely to
have (as the case may be);
(f) such other information as the OES considers may assist the designated
35
competent authority in exercising its functions under regulation 11B
in relation to the incident.
(5) The notifications required by paragraph (2) must be given—
(a) in the case of an initial notification, before the end of the period of
24 hours beginning with the time at which the OES is first aware that
a data centre incident has occurred or is occurring;
40(b) in the case of a full notification, before the end of the period of 72
hours beginning with that time.
23 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(6) A notification under paragraph (2) must be in writing, and must be
provided in such form and manner as the designated competent authority
determines.
5
(7) An OES must send a copy of a notification under paragraph (2) to the
CSIRT at the same time as sending the notification to the designated competent
authority for the OES.
Functions of designated competent authority and CSIRT in relation to
notified incidents
10
11B.—(1) The CSIRT may, after receiving a copy of a notification under
regulation 11 in relation to an incident, notify a relevant authority in a country
or territory outside the United Kingdom if the CSIRT considers that—
(a) the incident has had or is likely to have an impact on the operation
or security of network and information systems relied on for the
provision of an essential service in that country or territory, and
15(b) that impact is or is likely to be significant.
(2) The CSIRT may, after receiving a copy of a notification under regulation
11A in relation to an incident, notify a relevant authority in a country or
territory outside the United Kingdom if the CSIRT considers that the incident
has had or is likely to have a significant impact on—
20(a) the operation or security of network and information systems relied
on for the provision of a data centre service in that country or
territory, or
(b) the continuity of the provision of a data centre service in that country
or territory.
25(3) For the purposes of paragraphs (1) and (2), an authority in a country or
territory outside the United Kingdom is “relevant” if the authority appears
to the CSIRT to exercise functions which correspond to functions under these
Regulations of—
(a)
30
a person designated as a competent authority under regulation 3(1)
or (2),
(b) the SPOC, or
(c) the CSIRT.
(4) A designated competent authority or the CSIRT may, after receiving a
35
notification or a copy of a notification under regulation 11 or 11A in relation
to an incident, provide the OES which gave the notification with such
information as the authority or the CSIRT (as the case may be) considers may
assist the OES to deal with that incident more effectively or prevent a future
incident.
40
(5) Paragraph (6) applies if a designated competent authority or the CSIRT,
after consulting the OES which gave the notification under regulation 11 or
11A, is of the view that—
(a) public awareness about the incident to which the notification relates
is necessary to manage the incident or prevent a future incident, or
Cyber Security and Resilience (Network and Information Systems) Bill 24
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(b) it is otherwise in the public interest for the public to be informed
about the incident.
(6) In such a case—
(a)
5
the designated competent authority or the CSIRT may provide the
public with such information about the incident as the authority or
the CSIRT (as the case may be) considers is necessary for that purpose,
or
(b) the designated competent authority may direct the OES which gave
the notification to do so.
10(7) Before providing information to the public under paragraph (6)(a), the
designated competent authority or the CSIRT (as the case may be) must
consult—
(a) each other, and
(b) the OES which gave the notification in question.
15(8) Before giving a direction under paragraph (6)(b), the designated
competent authority must consult the CSIRT and the OES which gave the
notification in question.
(9) A designated competent authority or the CSIRT may disclose information
20
from a notification under regulation 11 or 11A in relation to an incident to
any regulated person, where the authority or the CSIRT (as the case may be)
considers that disclosure is necessary in the interests of preventing other
similar incidents.
(10) A disclosure of information under paragraph (1), (2) or (9) must not
contain—
25(a) confidential information, or
(b) information which may prejudice the security or commercial interests
of a regulated person.
(11) A disclosure of information under or by virtue of paragraph (6) must
30
not contain information which may prejudice the security interests of a
regulated person.
(12) Information disclosed to a person under paragraph (9) by a designated
competent authority or the CSIRT must not be further disclosed without—
(a) the consent of the designated competent authority or the CSIRT (as
the case may be), and
35(b) where the information relates to an identified or identifiable regulated
person, the consent of that person.
(13) A designated competent authority must provide an annual report to
the SPOC, on or before 1 July in each year, identifying the number and nature
40
of incidents notified to it under regulations 11(2)(b) and 11A(2)(b) during the
preceding year.”
(4) In regulation 12 (relevant digital service providers)—
(a) omit paragraphs (3) to (9) and (11) to (16);
25 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(b) in the heading, after “providers” insert “: duties to manage risks to
network and information systems”.
(5) After regulation 12 insert—
“Notification of RDSP incidents
512A.—(1) If an RDSP is aware that an RDSP incident has occurred or is
occurring, it must give the Information Commission—
(a) an initial notification containing—
(i) the RDSP’s name and the relevant digital service to which the
incident relates, and
10(ii) brief details of the incident, and
(b) a full notification containing the information listed in paragraph (4)
in relation to the incident, so far as known to the RDSP.
(2) For the purposes of this regulation, an incident is an “RDSP incident”
if—
15(a) the incident has affected or is affecting the operation or security of
the network and information systems relied on to provide the relevant
digital service provided by the RDSP, and
(b) the impact of the incident in the United Kingdom or any part of it
20
has been, is or is likely to be significant having regard to the factors
listed in paragraph (3).
(3) The factors referred to in paragraph (2)(b) are—
(a) the extent of any disruption which has occurred, is occurring or is
likely to occur in relation to the provision of the relevant digital
service provided by the RDSP;
25(b) the number of users which have been affected, are being affected or
are likely to be affected;
(c) the duration of the incident;
(d) the geographical area which has been affected, is being affected or is
likely to be affected by the incident;
30(e) whether the confidentiality, authenticity, integrity or availability of
data relating to users of the relevant digital service has been, is being
or is likely to be compromised;
(f) whether there has been, is or is likely to be any impact as a result of
35
the incident on network and information systems of users of the
service;
(g) any impact that the incident has had, is having or is likely to have
on the economy or the day-to-day functioning of society.
(4) The information referred to in paragraph (1)(b) is—
(a)
40
the RDSP’s name and the relevant digital service to which the incident
relates;
(b) the time the incident occurred, its duration and whether it is ongoing;
Cyber Security and Resilience (Network and Information Systems) Bill 26
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(c) information concerning the nature of the incident;
(d) where the incident was caused by a separate incident affecting another
regulated person, details of that separate incident and of the regulated
person in question;
5(e) information concerning the impact (including any cross-border impact)
which the incident has had, is having or is likely to have (as the case
may be);
(f) such other information as the RDSP considers may assist the
10
Information Commission in exercising its functions under regulation
12B in relation to the incident.
(5) The notifications required by paragraph (1) must be given—
(a) in the case of an initial notification, before the end of the period of
24 hours beginning with the time at which the RDSP is first aware
that an RDSP incident has occurred or is occurring;
15(b) in the case of a full notification, before the end of the period of 72
hours beginning with that time.
(6) A notification under paragraph (1) must be in writing, and must be
provided in such form and manner as the Information Commission determines.
20
(7) An RDSP must send a copy of a notification under paragraph (1) to the
CSIRT at the same time as sending the notification to the Information
Commission.
(8) In this regulation and regulation 12B, “regulated person” means an OES,
an RDSP, an RMSP or a critical supplier.
25
Functions of Information Commission and CSIRT in relation to notified
incidents
12B.—(1) The CSIRT may, after receiving a copy of a notification under
regulation 12A in relation to an incident, notify a relevant authority in a
country or territory outside the United Kingdom if the CSIRT considers that—
(a)
30
the incident has had or is likely to have an impact on the operation
or security of network and information systems relied on for the
provision of a relevant digital service in that country or territory, and
(b) that impact is or is likely to be significant.
(2) The Information Commission or the CSIRT may, after receiving a
35
notification or a copy of a notification under regulation 12A in relation to an
incident, provide the RDSP which gave the notification with such information
as the Information Commission or the CSIRT (as the case may be) considers
may assist the RDSP to deal with that incident more effectively or prevent a
future incident.
40
(3) Paragraph (4) applies if the Information Commission or the CSIRT, after
consulting the RDSP which gave the notification under regulation 12A, is of
the view that—
(a) public awareness about the incident to which the notification relates
is necessary to manage the incident or prevent a future incident, or
27 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(b) it is otherwise in the public interest for the public to be informed
about the incident.
(4) In such a case—
(a)
5
the Information Commission or the CSIRT may provide the public
with such information about the incident as the Information
Commission or the CSIRT (as the case may be) considers is necessary
for that purpose, or
(b) the Information Commission may direct the RDSP which gave the
notification to do so.
10(5) Before providing information to the public under paragraph (4)(a), the
Information Commission or the CSIRT (as the case may be) must consult—
(a) each other, and
(b) the RDSP which gave the notification in question.
15
(6) Before giving a direction under paragraph (4)(b), the Information
Commission must consult the CSIRT and the RDSP which gave the notification
in question.
(7) The Information Commission or the CSIRT may disclose information
from a notification under regulation 12A in relation to an incident to any
20
regulated person, where the Information Commission or the CSIRT (as the
case may be) considers that disclosure is necessary in the interests of
preventing other similar incidents.
(8) The Information Commission may provide information to the public
about an incident affecting relevant digital services in a country or territory
outside the United Kingdom if—
25(a) a relevant authority in the country or territory in question notifies
the Information Commission about the incident, and
(b) the Information Commission, having consulted that relevant authority,
is of the view that public awareness about the incident to which the
30
notification relates is necessary to manage the incident or prevent a
future incident or is otherwise in the public interest.
(9) A disclosure of information under paragraph (1) or (7) must not contain—
(a) confidential information, or
(b) information which may prejudice the security or commercial interests
of a regulated person.
35(10) A disclosure of information under or by virtue of paragraph (4) or (8)
must not contain information which may prejudice the security interests of
a regulated person.
(11) Information disclosed to a person under paragraph (7) by the
Information Commission or the CSIRT must not be further disclosed without—
40(a) the consent of the Information Commission or the CSIRT (as the case
may be), and
(b) where the information relates to an identified or identifiable regulated
person, the consent of that person.
Cyber Security and Resilience (Network and Information Systems) Bill 28
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(12) The Information Commission must provide an annual report to the
SPOC, on or before 1 July in each year, identifying the number and nature
of incidents notified to it under regulation 12A(1)(b) during the preceding
year.
5(13) For the purposes of this regulation, an authority in a country or territory
outside the United Kingdom is “relevant” if the authority appears to the
CSIRT or the Information Commission (as the case may be) to exercise
functions which correspond to functions under these Regulations of—
(a)
10
a person designated as a competent authority under regulation 3(1)
or (2),
(b) the SPOC, or
(c) the CSIRT.”
(6) In regulation 13 (co-operation with European Union), for “12(3)” substitute
“12A”.
15(7) After regulation 14D (inserted by section 14) insert—
“Notification of RMSP incidents
14E.—(1) If an RMSP is aware that an RMSP incident has occurred or is
occurring, it must give the Information Commission—
(a) an initial notification containing—
20(i) the RMSP’s name and the managed service to which the incident
relates, and
(ii) brief details of the incident, and
(b) a full notification containing the information listed in paragraph (4)
in relation to the incident, so far as known to the RMSP.
25(2) For the purposes of this regulation, an incident is an “RMSP incident”
if—
(a) the incident has affected or is affecting the operation or security of
the network and information systems relied on to provide the
managed service provided by the RMSP, and
30(b) the impact of the incident in the United Kingdom or any part of it
has been, is or is likely to be significant having regard to the factors
listed in paragraph (3).
(3) The factors referred to in paragraph (2)(b) are—
(a)
35
the extent of any disruption which has occurred, is occurring or is
likely to occur in relation to the provision of the managed service
provided by the RMSP;
(b) the number of users which have been affected, are being affected or
are likely to be affected;
(c) the duration of the incident;
29 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(d) the geographical area which has been affected, is being affected or is
likely to be affected by the incident;
(e) whether the confidentiality, authenticity, integrity or availability of
5
data relating to users of the managed service has been, is being or is
likely to be compromised;
(f) whether there has been, is or is likely to be any impact as a result of
the incident on network and information systems of users of the
service;
(g)
10
any impact that the incident has had, is having or is likely to have
on the economy or the day-to-day functioning of society.
(4) The information referred to in paragraph (1)(b) is—
(a) the RMSP’s name and the managed service to which the incident
relates;
(b) the time the incident occurred, its duration and whether it is ongoing;
15(c) information concerning the nature of the incident;
(d) where the incident was caused by a separate incident affecting another
regulated person, details of that separate incident and of the regulated
person in question;
(e)
20
information concerning the impact (including any cross-border impact)
which the incident has had, is having or is likely to have (as the case
may be);
(f) such other information as the RMSP considers may assist the
Information Commission in exercising its functions under regulation
14F in relation to the incident.
25(5) The notifications required by paragraph (1) must be given—
(a) in the case of an initial notification, before the end of the period of
24 hours beginning with the time at which the RMSP is first aware
that an RMSP incident has occurred or is occurring, and
(b)
30
in the case of a full notification, before the end of the period of 72
hours beginning with that time.
(6) A notification under paragraph (1) must be in writing, and must be
provided in such form and manner as the Information Commission determines.
(7) An RMSP must send a copy of a notification under paragraph (1) to the
35
CSIRT at the same time as sending the notification to the Information
Commission.
(8) In this regulation and regulation 14F, “regulated person” means an OES,
an RDSP, an RMSP or a critical supplier.
Functions of Information Commission and CSIRT in relation to notified
incidents
4014F.—(1) The CSIRT may, after receiving a copy of a notification under
regulation 14E in relation to an incident, notify a relevant authority in a
country or territory outside the United Kingdom if the CSIRT considers that—
Cyber Security and Resilience (Network and Information Systems) Bill 30
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(a) the incident has had or is likely to have an impact on the operation
or security of network and information systems relied on for the
provision of a managed service in that country or territory, and
(b) that impact is or is likely to be significant.
5(2) The Information Commission or the CSIRT may, after receiving a
notification or a copy of a notification under regulation 14E in relation to an
incident, provide the RMSP which gave the notification with such information
as the Information Commission or the CSIRT (as the case may be) considers
10
may assist the RMSP to deal with that incident more effectively or prevent
a future incident.
(3) Paragraph (4) applies if the Information Commission or the CSIRT, after
consulting the RMSP which gave the notification under regulation 14E, is of
the view that—
(a)
15
public awareness about the incident to which the notification relates
is necessary to manage the incident or prevent a future incident, or
(b) it is otherwise in the public interest for the public to be informed
about the incident.
(4) In such a case—
(a)
20
the Information Commission or the CSIRT may provide the public
with such information as the Information Commission or the CSIRT
(as the case may be) considers is necessary for that purpose, or
(b) the Information Commission may direct the RMSP which gave the
notification to do so.
25
(5) Before providing information to the public under paragraph (4)(a), the
Information Commission or the CSIRT (as the case may be) must consult—
(a) each other, and
(b) the RMSP which gave the notification in question.
(6) Before giving a direction under paragraph (4)(b), the Information
30
Commission must consult the CSIRT and the RMSP which gave the notification
in question.
(7) The Information Commission or the CSIRT may disclose information
from a notification under regulation 14E in relation to an incident to any
regulated person, where the Information Commission or the CSIRT (as the
35
case may be) considers that disclosure is necessary in the interests of
preventing other similar incidents.
(8) The Information Commission may provide information to the public
about an incident affecting managed services in a country or territory outside
the United Kingdom if—
(a)
40
a relevant authority in the country or territory in question notifies
the Information Commission about the incident, and
(b) the Information Commission, having consulted that relevant authority,
is of the view that public awareness about the incident to which the
notification relates is necessary to manage the incident or prevent a
future incident or is otherwise in the public interest.
31 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(9) A disclosure of information under paragraph (1) or (7) must not contain—
(a) confidential information, or
(b) information which may prejudice the security or commercial interests
of a regulated person.
5(10) A disclosure of information under or by virtue of paragraph (4) or (8)
must not contain information which may prejudice the security interests of
a regulated person.
(11) Information disclosed to a person under paragraph (7) by the
Information Commission or the CSIRT must not be further disclosed without—
10(a) the consent of the Information Commission or the CSIRT (as the case
may be), and
(b) where the information relates to an identified or identifiable regulated
person, the consent of that person.
15
(12) The Information Commission must provide an annual report to the
SPOC, on or before 1 July in each year, identifying the number and nature
of incidents notified to it under regulation 14E(1)(b) during the preceding
year.
(13) For the purposes of this regulation, an authority in a country or territory
20
outside the United Kingdom is “relevant” if the authority appears to the
CSIRT or the Information Commission (as the case may be) to exercise
functions which correspond to functions under these Regulations of—
(a) a person designated as a competent authority under regulation 3(1)
or (2),
(b) the SPOC, or
25(c) the CSIRT.”
16 Notification of incidents to customers
(1) The NIS Regulations are amended as follows.
(2) After regulation 11B (inserted by section 15(3)) insert—
“Incidents: notification of customers
3011C.—(1) This regulation applies to an OES so far as it provides an essential
service of a kind referred to in paragraph 11(2) or (3) of Schedule 2 (a “data
centre service”).
(2) After the OES has given a full notification under regulation 11A(2)(b),
the OES must, as soon as reasonably practicable—
35(a) take reasonable steps to establish which of its customers in the United
Kingdom are likely to be adversely affected by the incident to which
the notification relates, and
(b) after those steps have been taken, notify those customers of the
incident.
Cyber Security and Resilience (Network and Information Systems) Bill 32
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(3) When considering whether a customer is likely to be adversely affected
by the incident, the OES must take into account—
(a) the extent of any actual or likely disruption to the provision of the
data centre service provided by the OES to the customer,
5(b) whether the confidentiality, authenticity, integrity or availability of
any data relating to the customer is likely to be compromised, and
(c) any other impact on network and information systems of the customer.
(4) A notification under paragraph (2)(b) must—
(a) provide details of the nature of the incident, and
10(b) explain why the OES considers that the customer is likely to be
adversely affected by the incident.”
(3) After regulation 12B (inserted by section 15(5)) insert—
“Incidents: notification of customers
15
12C.—(1) After an RDSP has given a full notification under regulation
12A(1)(b), the RDSP must, as soon as reasonably practicable—
(a) take reasonable steps to establish which of its customers in the United
Kingdom are likely to be adversely affected by the incident to which
the notification relates, and
(b)
20
after those steps have been taken, notify those customers of the
incident.
(2) When considering whether a customer is likely to be adversely affected
by the incident, the RDSP must take into account—
(a) the extent of any actual or likely disruption to the provision of the
relevant digital service provided by the RDSP to the customer,
25(b) whether the confidentiality, authenticity, integrity or availability of
any data relating to the customer is likely to be compromised, and
(c) any other impact on network and information systems of the customer.
(3) A notification under paragraph (1)(b) must—
(a) provide details of the nature of the incident, and
30(b) explain why the RDSP considers that the customer is likely to be
adversely affected by the incident.”
(4) After regulation 14F (inserted by section 15(7)) insert—
“Incidents: notification of customers
35
14G.—(1) After an RMSP has given a full notification under regulation
14E(1)(b), the RMSP must, as soon as reasonably practicable—
(a) take reasonable steps to establish which of its customers in the United
Kingdom are likely to be adversely affected by the incident to which
the notification relates, and
33 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 2—Provision of information and reporting of incidents

(b) after those steps have been taken, notify those customers of the
incident.
(2) When considering whether a customer is likely to be adversely affected
by the incident, the RMSP must take into account—
5(a) the extent of any actual or likely disruption to the provision of the
managed service provided by the RMSP to the customer,
(b) whether the confidentiality, authenticity, integrity or availability of
any data relating to the customer is likely to be compromised, and
(c) any other impact on network and information systems of the customer.
10(3) A notification under paragraph (1)(b) must—
(a) provide details of the nature of the incident, and
(b) explain why the RMSP considers that the customer is likely to be
adversely affected by the incident.”
CHAPTER 3
15OTHER AMENDMENTS
Cost recovery
17 Powers to impose charges
After regulation 20 of the NIS Regulations insert—
“PART 5A
20Powers to impose charges
Periodic charges under charging schemes
20A.—(1) A NIS enforcement authority may impose a charge on a person
in respect of the authority’s relevant costs if—
(a)
25
a scheme made by the authority for the purposes of this regulation
(a “charging scheme”) has effect,
(b) the charge relates to a period specified in the charging scheme (a
“chargeable period”),
(c) the person is or was regulated by the authority during the whole or
part of the chargeable period, and
30(d) the charge is imposed in accordance with the charging scheme.
(2) For the purposes of paragraph (1)—
(a) a NIS enforcement authority’s “relevant costs” are its costs or expected
costs in connection with the exercise of any of its functions under or
35
by virtue of these Regulations or Part 3 or 4 of the Cyber Security
and Resilience (Network and Information Systems) Act 2026;
Cyber Security and Resilience (Network and Information Systems) Bill 34
Part 2—The NIS Regulations
Chapter 3—Other amendments

(b) the costs in respect of which a NIS enforcement authority may impose
a periodic charge include costs incurred by the authority before the
relevant day in preparation for the imposition of charges in accordance
with this regulation,
5and in sub-paragraph (b) “the relevant day” is the day on which section 17
of the Cyber Security and Resilience (Network and Information Systems) Act
2026 comes into force.
(3) A charging scheme made by a NIS enforcement authority must specify—
(a)
10
the functions of the authority in respect of which a charge is payable
in accordance with the scheme,
(b) the chargeable periods under the scheme,
(c) either—
(i) the amount of a charge, or
(ii)
15
how the amount of a charge is to be determined by the authority
(including factors to be taken into account in making the
determination),
(d) when and how a charge is to be paid, and
(e) the date (not before the end of the 14-day period beginning with the
20
day on which the scheme is published) from which the scheme has
effect.
(4) A charging scheme made by a NIS enforcement authority—
(a) may provide for charges to be imposed in respect of anything done
by the authority in connection with the enforcement of requirements
25
imposed under or by virtue of these Regulations or Part 3 or 4 of the
Cyber Security and Resilience (Network and Information Systems)
Act 2026;
(b) may make different provision for different purposes (including
different provision in relation to persons of different descriptions or
different circumstances);
30(c) may provide that a charge is not payable by persons of a description
specified in the scheme or if conditions specified in the scheme are
met.
(5) A charge payable by a person in accordance with a charging scheme
need not relate to the exercise of functions in relation to the person.
35(6) A NIS enforcement authority may revise or revoke its charging scheme.
(7) A NIS enforcement authority must publish its charging scheme (including
any revised scheme).
(8) Before making or revising a charging scheme, a NIS enforcement
40
authority must consult such of the persons regulated by the authority as it
considers appropriate.
(9) No consultation is required under paragraph (8) in relation to revisions
of a charging scheme that are only minor.
35 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(10) For the purposes of this regulation, a person (“P”) is regulated by a
NIS enforcement authority if—
(a) where the NIS enforcement authority is a person designated by
regulation 3(1), P is—
5(i) an OES within a subsector specified in column 2 of the table in
Schedule 1 for which the authority is specified in column 3 of
that table, or
(ii) a person in respect of which a designation by the authority under
regulation 14H(1) has effect;
10(b) where the NIS enforcement authority is the Information Commission,
P is—
(i) an RDSP or an RMSP, or
(ii) a person in respect of which a designation by the Information
Commission under regulation 14H(1) has effect.
15Further provision about periodic charges under regulation 20A
20B.—(1) Where the amount of a charge payable by a person (“P”) to a NIS
enforcement authority under regulation 20A is determined by reference to
P’s turnover in respect of a period specified in the authority’s charging scheme,
20
the amount of that turnover is, in the event of a disagreement between P and
the authority, the amount determined by the authority.
(2) A charge payable to a NIS enforcement authority in accordance with
the authority’s charging scheme is recoverable as a civil debt due to the
authority.
25
(3) A NIS enforcement authority must, in relation to each chargeable period
in respect of which a charge is payable to the authority under regulation 20A,
produce a statement setting out the required information.
(4) The required information is—
(a) the aggregate amount of the charges payable to the authority in
30
relation to the chargeable period which has been received by the NIS
enforcement authority,
(b) the aggregate amount of the charges payable to the authority in
relation to the chargeable period which remains outstanding and is
likely to be paid or recovered, and
(c)
35
the cost to the authority of the exercise of functions in respect of
which charges are payable to the authority in relation to the
chargeable period.
(5) A NIS enforcement authority must publish a statement produced by it
under paragraph (3) in relation to a chargeable period—
(a)
40
if the charges to which the statement relates are payable to the
authority before the end of that period, as soon as reasonably
practicable after the end of the period;
Cyber Security and Resilience (Network and Information Systems) Bill 36
Part 2—The NIS Regulations
Chapter 3—Other amendments

(b) if the charges to which the statement relates are payable to the
authority after the end of that period, as soon as reasonably practicable
after the time by which all charges payable to the authority in
accordance with its charging scheme are required to be paid.
5(6) In this regulation—
“chargeable period”, in relation to a charging scheme, means a period
specified in the scheme by virtue of regulation 20A(3)(b);
“charging scheme”, in relation to a NIS enforcement authority, has the
meaning given by regulation 20A(1)(a).
10Charges (other than under periodic charges under regulation 20A)
20C.—(1) A NIS enforcement authority may require a person which is or
has been regulated by the authority to pay it a charge in respect of costs
incurred by or on behalf of the authority in exercising a function under these
Regulations in relation to the person.
15(2) Where a person is required by a NIS enforcement authority to pay a
charge under paragraph (1), the authority must give the person an invoice
stating the costs to which the charge relates.
(3) A NIS enforcement authority may not impose a charge under paragraph
(1) in connection with—
20(a) costs relating to an appeal under regulation 19A against a decision
of the authority,
(b) costs relating to the bringing of proceedings by the authority under
regulation A20, or
(c)
25
the exercise of any function in respect of which a charge is payable
to the authority in accordance with a scheme made by the authority
for the purposes of regulation 20A.
(4) A charge payable under paragraph (1) is recoverable as a civil debt due
to the NIS enforcement authority.
30
(5) The reference in paragraph (1) to a person regulated by a NIS
enforcement authority is to be construed in accordance with regulation
20A(10).”
Information sharing
18 Sharing and use of information under the NIS Regulations etc
(1)
35
In regulation 3 of the NIS Regulations (designation of national competent
authorities)—
(a) in paragraph (3)(e), for the words from “, as the SPOC” to the end
substitute “for the purpose of facilitating the exercise by GCHQ of
any of its functions under or by virtue of these Regulations or any
other enactment;”;
37 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(b) after paragraph (5) insert—
“(5A) A copy of the lists kept by it as required by paragraph (3)(c)
and (d) must be sent by a competent authority under paragraph
(3)(e)—
5(a) before the end of the period of 4 months beginning with the
day on which section 18(1) of the Cyber Security and Resilience
(Network and Information Systems) Act 2026 comes into force,
and
(b) subsequently, at annual intervals.”
10(2) In regulation 4 of the NIS Regulations (single point of contact)—
(a) in paragraph (2), for “Member State of the EU” substitute “country or
territory outside the United Kingdom”;
(b) after paragraph (2) insert—
15
“(2ZA) For the purposes of paragraph (2), an authority in a country
or territory outside the United Kingdom is “relevant” if the authority
appears to the SPOC to exercise functions which correspond to
functions under these Regulations of—
(a) a person designated as a competent authority under regulation
3(1) or (2),
20(b) the SPOC, or
(c) the CSIRT.”
(3) For regulation 6 of the NIS Regulations substitute—
“Sharing of information
25
6.—(1) A NIS enforcement authority may disclose to another NIS enforcement
authority or to a person within paragraph (2) information obtained in the
exercise of its functions—
(a) for the purposes of these Regulations or of facilitating the exercise
by a NIS enforcement authority of any of its functions under or by
30
virtue of these Regulations or any other enactment (including an
enactment comprised in, or in an instrument made under, an Act of
the Scottish Parliament),
(b) otherwise in connection with—
(i) the security and resilience of network and information systems,
or
35(ii) any other matter relating to cyber security and resilience,
(c) for national security purposes,
(d) in connection with the prevention or detection of crime (whether or
not in the United Kingdom),
(e)
40
in connection with the investigation of a criminal offence (whether
or not in the United Kingdom), or
Cyber Security and Resilience (Network and Information Systems) Bill 38
Part 2—The NIS Regulations
Chapter 3—Other amendments

(f) for the purposes of criminal proceedings (whether or not in the United
Kingdom).
(2) The following persons are within this paragraph—
(a) the Secretary of State;
5(b) a relevant law-enforcement authority;
(c) the CSIRT;
(d) a UK public authority which does not fall within any of
sub-paragraphs (a) to (c).
10
(3) A person within paragraph (2) may disclose to a NIS enforcement
authority information obtained in the exercise of the person’s functions for
any of the purposes mentioned in paragraph (1).
For this purpose, the reference in paragraph (2)(b) to a relevant
law-enforcement authority is to be read as a reference to a relevant
law-enforcement authority which exercises functions in the United Kingdom.
15(4) A disclosure under paragraph (1) or (3) must be limited to information
which is relevant and proportionate to the purpose for which the disclosure
is being made.
(5) A NIS enforcement authority may disclose to the Secretary of State
20
information obtained in the exercise of its functions if the authority considers
that the information—
(a) may be relevant for the purposes of a report under section 40 of the
Cyber Security and Resilience (Network and Information Systems)
Act 2026 (reports on network and information systems legislation),
(b)
25
may assist the Secretary of State in assessing the provision and
availability of data centre services in the United Kingdom, or
(c) may assist the Secretary of State in formulating policy relating to—
(i) the provision and availability of data centre services in the United
Kingdom, or
(ii) national security.
30(6) The Secretary of State may disclose to a NIS enforcement authority
information obtained by the Secretary of State in the exercise of functions
under these Regulations if the Secretary of State considers that doing so may
assist the Secretary of State—
(a)
35
in preparing a report under section 40 of the Cyber Security and
Resilience (Network and Information Systems) Act 2026,
(b) in assessing the provision and availability of data centre services in
the United Kingdom, or
(c) in formulating policy relating to anything mentioned in paragraph
(5)(c).
40(7) A NIS enforcement authority may disclose information obtained by the
authority in the exercise of its functions to a relevant overseas authority if—
(a) the disclosure is for a purpose mentioned in paragraph (1), and
39 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(b) the disclosure is limited to information which is relevant and
proportionate to the purpose for which the disclosure is being made.
(8) In paragraph (7), a “relevant overseas authority”, in relation to a
5
disclosure by a NIS enforcement authority, means a person in any country
or territory outside the United Kingdom which appears to the NIS enforcement
authority to exercise functions of a public nature which—
(a) correspond to functions under these Regulations of—
(i) a person designated as a competent authority under regulation
3(1) or (2),
10(ii) the SPOC, or
(iii) the CSIRT, or
(b) relate to any of the matters mentioned in paragraph (1)(c) to (f).
(9) In this regulation—
15
“data centre service” means an essential service of a kind referred to in
paragraph 11(2) or (3) of Schedule 2;
“UK public authority” means a person exercising functions of a public
nature in the United Kingdom.
Onward disclosure and further provision about information sharing
20
6A.—(1) Information disclosed to a person under regulation 6 (“relevant
information”) must not be further disclosed except in accordance with
paragraph (2) or (4).
(2) Relevant information may be disclosed—
(a) to the Secretary of State if—
(i)
25
the disclosure is for a purpose mentioned in regulation 6(1) and
the disclosure is limited to information which is relevant and
proportionate to that purpose, or
(ii) the person making the disclosure considers that any of
sub-paragraphs (a) to (c) of regulation 6(5) applies in relation to
the information;
30(b) to any of the persons mentioned in paragraph (3), if the disclosure
is for a purpose mentioned in regulation 6(1) and the disclosure is
limited to information which is relevant and proportionate to that
purpose.
(3) The persons referred to in paragraph (2)(b) are—
35(a) a relevant law-enforcement authority;
(b) the CSIRT;
(c) a UK public authority (within the meaning of regulation 6) which
does not fall within sub-paragraph (a) or (b).
(4) Relevant information may be disclosed to any person with—
Cyber Security and Resilience (Network and Information Systems) Bill 40
Part 2—The NIS Regulations
Chapter 3—Other amendments

(a) the consent of the person from which the information was obtained,
and
(b) where the information relates to an identified or identifiable individual
or business, the consent of that individual or business.
5(5) The disclosure of information under any provision of regulation 6 or
this regulation does not breach—
(a) any obligation of confidence owed by the person making the
disclosure, or
(b)
10
any other restriction on the disclosure of information (however
imposed).
(6) Nothing in regulation 6 or this regulation authorises a disclosure of
information which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part
9 of the Investigatory Powers Act 2016.
15
(7) Regulation 6 and this regulation do not limit the circumstances in which
information may be disclosed apart from those regulations.
Use of information by the Information Commission
6B. The Information Commission may use information obtained by it under
or by virtue of these Regulations for the purpose of facilitating the exercise
20
of any of its functions under or by virtue of any other enactment, if it considers
that the use of the information for that purpose is necessary and
proportionate.”
(4) In regulation 7 of the NIS Regulations (information sharing - Northern Ireland),
after paragraph (1) insert—
“(1A) The disclosure of information under paragraph (1) does not breach—
25(a) any obligation of confidence owed by the person making the
disclosure, or
(b) any other restriction on the disclosure of information (however
imposed).
30
(1B) This regulation does not authorise a disclosure of information which
is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory
Powers Act 2016.”
Guidance
19 Guidance
(1) The NIS Regulations are amended as follows.
35(2) Regulation 3 (designation of national competent authorities) is amended in
accordance with subsections (3) to (5).
41 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(3) After paragraph (3) insert—
“(3ZA) Guidance under paragraph (3)(b) must, in particular, include guidance
on—
(a)
5
the taking of appropriate and proportionate measures under regulation
10(1) and (2);
(b) the requirements imposed on OESs by regulation 11;
(c) the requirements imposed by regulations 8ZA, 11A and 11C on OESs
which provide an essential service of a kind referred to in paragraph
11(2) or (3) of Schedule 2.
10(3ZB) When preparing guidance under paragraph (3)(b), a designated
competent authority must have regard to any relevant code which is in force,
so far as the code appears to the authority to be relevant to persons regulated
by it, with a view to ensuring that the guidance is consistent with the code.
15
(3ZC) When preparing guidance under paragraph (3)(b) that relates to
critical suppliers, or to the designation of persons under regulation 14H, a
designated competent authority must—
(a) coordinate with other designated competent authorities and the
Information Commission with a view to ensuring that, where
20
appropriate, the guidance is consistent with guidance issued or to be
issued by those other designated competent authorities and the
Information Commission, and
(b) consult each of the other designated competent authorities and the
Information Commission before publishing the guidance.”;
(4) After paragraph (4) insert—
25“(4A) Guidance under paragraph (4)(b) must, in particular, include guidance
on—
(a) the taking of appropriate and proportionate measures by RDSPs under
regulation 12(1);
(b) the requirements imposed on RDSPs by regulations 12A, 12C and 14;
30(c) the taking of appropriate and proportionate measures by RMSPs
under regulation 14B(1);
(d) the requirements imposed on RMSPs by regulations 14C, 14E and
14G.
35
(4B) When preparing guidance under paragraph (4)(b), the Information
Commission must have regard to any relevant code which is in force, so far
as the code appears to the Information Commission to be relevant to persons
regulated by it, with a view to ensuring that the guidance is consistent with
the code.
40
(4C) When preparing guidance under paragraph (4)(b) that relates to critical
suppliers, or to the designation of persons under regulation 14H, the
Information Commission must—
Cyber Security and Resilience (Network and Information Systems) Bill 42
Part 2—The NIS Regulations
Chapter 3—Other amendments

(a) coordinate with the designated competent authorities with a view to
ensuring that, where appropriate, the guidance is consistent with
guidance issued or to be issued by those designated competent
authorities, and
5(b) consult each of the designated competent authorities before publishing
the guidance.”
(5) After paragraph (6) insert—
“(7) In this regulation, “relevant code” means a code of practice issued under
10
section 36 of the Cyber Security and Resilience (Network and Information
Systems) Act 2026.”
(6) After regulation 3 insert—
“Guidance
3A. A designated competent authority and the Information Commission
15
must have regard to any relevant guidance published by the Secretary of
State when carrying out their functions under these Regulations.”
Investigatory powers, enforcement and penalties
20 Powers to require information
(1) The NIS Regulations are amended as follows.
(2)
20
In the heading of Part 5, for “Enforcement” substitute “Information,
enforcement”.
(3) For regulation 15 substitute—
“Information gathering
15.—(1) A designated competent authority may require a person to which
25
paragraph (3) applies to give the authority such information or documents
as it reasonably requires for the purpose of exercising or deciding whether
to exercise any of its functions under these Regulations.
(2) The Information Commission may require a person to which paragraph
(3) applies to give the Information Commission such information or documents
30
as it reasonably requires for the purpose of exercising or deciding whether
to exercise any of its functions under these Regulations.
(3) This paragraph applies to—
(a) in a case within paragraph (1)—
(i) a person regulated by the designated competent authority, and
(ii)
35
any other person (other than the SPOC or the CSIRT) which
appears to the designated competent authority to be likely to
have the information or documents sought;
43 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(b) in a case within paragraph (2)—
(i) a person regulated by the Information Commission, and
(ii) any other person (other than the SPOC or the CSIRT) which
5
appears to the Information Commission to be likely to have the
information or documents sought.
(4) The information or documents which may be required by a designated
competent authority under paragraph (1) include, in particular, information
or documents for any of the following purposes—
(a)
10
establishing whether a person falls within regulation 8(1) or meets
the conditions for designation by the authority under regulation 8(3);
(b) establishing whether a person meets the requirements for designation
under regulation 14H by the authority;
(c) deciding whether to designate a person under regulation 8(3) or 14H;
(d)
15
deciding whether to revoke a person’s designation under regulation
9 or 14K;
(e) determining the amount of a penalty payable by a person to the
authority under regulation 18;
(f) determining the amount of a charge payable by a person under a
scheme made by the authority under regulation 20A(1).
20(5) The information or documents which may be required by the Information
Commission under paragraph (2) include, in particular, information or
documents for any of the following purposes—
(a) establishing whether a person is an RDSP or an RMSP;
(b)
25
establishing whether a person meets the requirements for designation
under regulation 14H by the Information Commission;
(c) deciding whether to designate a person under regulation 14H;
(d) deciding whether to revoke a person’s designation under regulation
14K;
(e)
30
determining the amount of a penalty payable by a person to the
Information Commission under regulation 18;
(f) determining the amount of a charge payable by a person under a
scheme made by the Information Commission under regulation 20A(1).
(6) The power conferred by paragraph (1) or (2) is to be exercised by giving
35
the person in question a notice in writing (an “information notice”) which
must—
(a) specify or describe the information or documents sought,
(b) explain why the information or documents are being sought,
(c) specify the manner and form in which the information or documents
must be given,
40(d) specify the time by which, or period within which, the information
or documents must be given, and
Cyber Security and Resilience (Network and Information Systems) Bill 44
Part 2—The NIS Regulations
Chapter 3—Other amendments

(e) include information about the possible consequences of not complying
with the notice.
(7) An information notice given to a person to which paragraph (3)(a)(ii) or
(b)(ii) applies—
5(a) may take the form of a general request for a category of persons
specified in the notice to provide the information or documents
specified or described in the notice;
(b) may be given by being published in such manner as the person giving
10
the notice considers appropriate for the purpose of bringing the notice
to the attention of persons described in it as persons from which the
information or documents are required.
(8) A person to which an information notice is given under this regulation
must comply with the requirements imposed by the notice.
(9) For the purposes of this regulation—
15(a) a person is regulated by a designated competent authority if the
person is—
(i) an OES within a subsector specified in column 2 of the table in
Schedule 1 for which the authority is specified in column 3 of
that table, or
20(ii) a person designated by the authority under regulation 14H
(critical suppliers);
(b) a person is regulated by the Information Commission if the person
is—
(i) an RDSP or an RMSP, or
25(ii) a person designated by the Information Commission under
regulation 14H (critical suppliers).
Information gathering: further provision
15A.—(1) The power conferred by regulation 15(1) or (2) to require a person
(“P”) to give information includes power to require P—
30(a) to obtain or generate information or documents;
(b) to collect or retain information or documents that P would not
otherwise collect or retain for the purpose of giving it under the
provision in question.
35
(2) An information notice under regulation 15 may be given to a person
whether or not the person is established in the United Kingdom.
(3) The powers conferred by regulation 15 are exercisable in relation to
information or documents whether stored within or outside the United
Kingdom.
40
(4) A person may not be required under regulation 15 to give a privileged
communication to a designated competent authority or the Information
Commission.
(5) A “privileged communication” is a communication—
45 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(a) between a professional legal adviser and their client, or
(b) made in connection with, or in contemplation of, legal proceedings
and for the purposes of those proceedings,
5
which in proceedings in the High Court would be protected from disclosure
on grounds of legal professional privilege.
(6) In the application of paragraph (5) to Scotland—
(a) the reference to the High Court is to be read as a reference to the
Court of Session;
(b)
10
the reference to legal professional privilege is to be read as a reference
to the confidentiality of communications.
(7) An information notice given under regulation 15 by a designated
competent authority or the Information Commission may be revoked by that
authority or the Information Commission (as the case may be)—
(a)
15
where the notice was given as mentioned in regulation 15(7)(b), by
publication of a notice in the same manner as that in which the
information notice was published;
(b) otherwise, by the giving of a notice to the recipient of the information
notice.”
21 Financial penalties
20(1) Regulation 18 of the NIS Regulations (penalties) is amended as follows.
(2) After paragraph (2) insert—
“(2A) The Information Commission may serve a notice of intention to impose
a penalty on an RMSP if the Information Commission—
(a)
25
has reasonable grounds to believe that the RMSP has failed to comply
with a duty referred to in regulation 17(2ZA) or the duty set out in
regulation 17(3A), and
(b) considers that a penalty is warranted having regard to the facts and
circumstances of the case.
30
(2B) A designated competent authority or the Information Commission may
serve a notice of intention to impose a penalty on a person if the authority
or Information Commission (as the case may be)—
(a) has reasonable grounds to believe that the person has failed to comply
with—
(i)
35
an information notice given to the person under regulation 15
by the authority or Information Commission (as the case may
be), or
(ii) the duty set out in regulation 17(3A), and
(b) considers that a penalty is warranted having regard to the facts and
circumstances of the case.”
Cyber Security and Resilience (Network and Information Systems) Bill 46
Part 2—The NIS Regulations
Chapter 3—Other amendments

(3) For paragraphs (3A) and (3B) substitute—
“(3A) Paragraph (3B) applies where a designated competent authority or
the Information Commission has served a notice of intention to impose a
penalty on a person.
5(3B) The designated competent authority or the Information Commission
(as the case may be) may, after considering any representations submitted in
accordance with paragraph (3)(f), serve a penalty notice on the person with
a final penalty decision if the authority or Information Commission is satisfied
10
that a penalty is warranted having regard to the facts and circumstances of
the case.”
(4) In paragraph (3C)—
(a) after “penalty notice” insert “on a person”;
(b) for “the OES or RDSP” substitute “the person”;
(c) for “regulation 17(1) or (2)” substitute “regulation 17”.
15(5) In paragraph (3D)(a) and (c), for “OES or RDSP” (in each place it occurs)
substitute “person to which it relates”.
(6) In paragraph (3E)—
(a) for “OES or RDSP” substitute “person served with a penalty notice”;
(b) for “a penalty notice” substitute “the notice”.
20(7) For paragraphs (5) to (7) substitute—
“(5) A penalty imposed under this regulation—
(a) must be of an amount which the designated competent authority or
the Information Commission (as the case may be) determines is
25
appropriate and proportionate in the circumstances, including having
regard to the matters mentioned in paragraph (6);
(b) must not exceed the maximum amount applicable to the failure in
respect of which the penalty is imposed.
(6) The matters referred to in paragraph (5)(a) are—
(a) the impact of the failure in respect of which the penalty is imposed,
30(b) any steps taken by the person on which the penalty is imposed to
remedy the failure or mitigate its impact, and
(c) the person’s previous compliance or non-compliance with
requirements imposed under or by virtue of these Regulations or
35
regulations under section 29(1) of the Cyber Security and Resilience
(Network and Information Systems) Act 2026.
(7) The maximum amount of a penalty that may be imposed on a person
is—
(a) in the case of a failure to which paragraph (10) applies, the standard
maximum amount;
40(b) in the case of a failure to which paragraph (11) applies, the higher
maximum amount.
47 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(8) The “standard maximum amount” is—
(a) where the person is an undertaking, the greater of—
(i) £10,000,000, and
(ii)
5
2% of the turnover of the undertaking (both inside and outside
the United Kingdom);
(b) in any other case, £10,000,000.
(9) The “higher maximum amount” is—
(a) where the person is an undertaking, the greater of—
(i) £17,000,000, and
10(ii) 4% of the turnover of the undertaking (both inside and outside
the United Kingdom);
(b) in any other case, £17,000,000.
(10) This paragraph applies to a failure to comply with a duty referred to
in any of the following provisions—
15(a) in regulation 17(1) (OES failures)—
(i) sub-paragraph (za) (failure to notify under regulation 8(2));
(ii) sub-paragraph (zaa) (failure to comply with requirements in
regulation 8ZA);
(iii)
20
sub-paragraph (zb) (failure to comply with requirements in
regulation 8A);
(iv) sub-paragraph (ca) (failure to comply with regulation 11(8));
(v) sub-paragraph (cd) (failure to comply with regulation 11A(7));
(vi) sub-paragraph (cf) (failure to comply with regulation 11B(12),
25
12B(11) or 14F(11) in relation to the making of a further
disclosure);
(b) in regulation 17(2) (RDSP failures)—
(i) sub-paragraph (ca) (failure to comply with regulation 12A(7));
(ii) sub-paragraph (dza) (failure to comply with regulation 11B(12),
30
12B(11) or 14F(11) in relation to the making of a further
disclosure);
(iii) sub-paragraph (dzc) (failure to comply with regulation 14(2) or
(3));
(iv) sub-paragraph (da) (failure to comply with requirements in
regulation 14A);
35(c) in regulation 17(2ZA) (RMSP failures)—
(i) sub-paragraph (b) (failure to comply with regulation 14C(2) or
(5));
(ii) sub-paragraph (c) (failure to comply with regulation 14D);
(iii) sub-paragraph (f) (failure to comply with regulation 14E(7));
Cyber Security and Resilience (Network and Information Systems) Bill 48
Part 2—The NIS Regulations
Chapter 3—Other amendments

(iv) sub-paragraph (h) (failure to comply with regulation 11B(12),
12B(11) or 14F(11) in relation to the making of a further
disclosure).
5
(11) This paragraph applies to a failure to comply with a duty referred to
in any of the following provisions—
(a) in regulation 17(1) (OES failures)—
(i) sub-paragraph (a) (failure to fulfil the security duties under
regulation 10(1) and (2));
(ii)
10
sub-paragraph (b) (failure to notify an incident under regulation
11(2));
(iii) sub-paragraph (c) (failure to comply with regulation 11(6) and
(7) in relation to the notification requirements in regulation 11(2));
(iv) sub-paragraph (cb) (failure to give notification in relation to an
incident as required by regulation 11A(2));
15(v) sub-paragraph (cc) (failure to comply with regulation 11A(5) and
(6) in relation to a notification under 11A(2));
(vi) sub-paragraph (ce) (failure to comply with direction under
regulation 11B(6)(b));
(vii)
20
sub-paragraph (cg) (failure to comply with regulation 11C(2)(b)
and (4));
(viii) sub-paragraph (f) (failure to comply with direction under
regulation 16(1)(c) or requirements under regulation 16(3));
(b) in regulation 17(2) (RDSP failures)—
(i) sub-paragraph (a) (failure to fulfil duties under regulation 12(1));
25(ii) sub-paragraph (b) (failure to notify an incident under regulation
12A(1));
(iii) sub-paragraph (c) (failure to comply with regulation 12A(5) and
(6) in relation to notification requirement under regulation
12A(1));
30(iv) sub-paragraph (d) (failure to comply with a direction made by
the Information Commission under regulation 12B(4)(b));
(v) sub-paragraph (dzb) (failure to comply with regulation 12C(1)(b)
and (3));
(vi)
35
sub-paragraph (f) (failure to comply with a direction given under
regulation 16(2)(c), or the requirements at regulation 16(3));
(c) in regulation 17(2ZA) (RMSP failures)—
(i) sub-paragraph (a) (failure to comply with regulation 14B(1));
(ii) sub-paragraph (d) (failure to give a notification as required by
regulation 14E(1));
40(iii) sub-paragraph (e) (failure to comply with the requirements in
regulation 14E(5) and (6) in relation to a notification under
regulation 14E(1));
49 Cyber Security and Resilience (Network and Information Systems) Bill
Part 2—The NIS Regulations
Chapter 3—Other amendments

(iv) sub-paragraph (g) (failure to comply with a direction under
regulation 14F(4)(b));
(v) sub-paragraph (i) (failure to comply with regulation 14G(1)(b)
and (3));
5(vi) sub-paragraph (j) (failure to comply with a direction under
regulation 16(2)(c));
(vii) sub-paragraph (k) (failure to comply with regulation 16(3));
(d) regulation 17(2ZB) (failure to comply with information notice).”
22 Enforcement and appeals
10Schedule 1 contains further amendments to the NIS Regulations in connection
with enforcement and appeals.
Other
23 Minor and consequential amendments etc
15
Schedule 2 contains minor and consequential amendments to the NIS
Regulations and other enactments.
PART 3
SECURITY AND RESILIENCE OF SYSTEMS: FUNCTIONS OF THE SECRETARY OF STATE
CHAPTER 1
INTRODUCTORY
2024 Key definitions in Part 3
(1) In this Part, “network and information system” means—
(a) an electronic communications network within the meaning of section
32(1) of the Communications Act 2003, or
(b) apparatus which is programmed to process digital data.
25(2) A reference in subsection (1) to an electronic communications network or to
apparatus includes a reference to data stored, processed, retrieved or
transmitted by the network or apparatus for the purposes of the operation,
use, protection or maintenance of the network or apparatus.
(3)
30
In this Part, “essential activity” means an activity specified for the purposes
of this subsection in regulations made by the Secretary of State.
(4) An activity may be specified for the purposes of subsection (3) only if the
Secretary of State considers that the carrying on of the activity is essential
to—
Cyber Security and Resilience (Network and Information Systems) Bill 50
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 1—Introductory

(a) the economy of the United Kingdom or any part of the United
Kingdom, or
(b) the day-to-day functioning of society in the United Kingdom or any
part of the United Kingdom.
5(5) For the purposes of this Part—
(a) references to the carrying on of an activity include references to the
provision of a service (and references to an activity include references
to a service);
(b)
10
the following are to be treated for the purposes of this Part as activities
specified for the purposes of subsection (3)—
(i) an essential service (within the meaning of the NIS Regulations)
specified in Schedule 2 to those Regulations;
(ii) a relevant digital service (within the meaning of those
Regulations);
15(iii) a managed service (within the meaning of those Regulations).
(6) In this Part, “regulatory authority” means a person designated for the purposes
of this subsection by regulations made by the Secretary of State.
(7) A person may be designated for the purposes of subsection (6) only if the
person exercises functions of a public nature in the United Kingdom.
20(8) The following persons are to be treated for the purposes of this Part as having
been designated for the purposes of subsection (6)—
(a) a person designated by regulation 3(1) of the NIS Regulations
(competent authorities for operators of essential services);
(b) the Information Commission.
25(9) For the meaning of “regulated person” (in Chapters 3 and 4) see section 30(2).
CHAPTER 2
STATEMENT OF STRATEGIC PRIORITIES ETC
25 Statement of strategic priorities etc
(1)
30
The Secretary of State may designate a statement for the purposes of this
section if the requirements set out in section 26 (consultation and procedural
requirements) are satisfied.
(2) The statement is a statement prepared by the Secretary of State that sets out—
(a) the strategic priorities of His Majesty’s Government in relation to the
35
security and resilience of network and information systems used or
relied on in connection with the carrying on of essential activities,
(b) the roles and responsibilities of regulatory authorities and other persons
involved in giving effect to these priorities, and
(c) objectives for regulatory authorities in seeking to give effect to those
priorities.
51 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 2—Statement of strategic priorities etc

(3) The Secretary of State must publish a statement designated under subsection
(1) in such manner as the Secretary of State considers appropriate.
(4) A statement designated under subsection (1) may be amended (including by
5
replacing the whole or a part of the statement with new material, or by
withdrawing part of the statement) by a subsequent statement designated
under that subsection, and this section and section 26 apply in relation to any
subsequent statement as they apply in relation to the original statement.
(5) The designation of a statement under subsection (1) may be withdrawn by
the Secretary of State.
10(6) Except as provided by subsection (7), no amendment of a statement under
subsection (4) or withdrawal of a designation under subsection (5) may be
made within the period of three years beginning with the day on which a
statement was most recently designated under subsection (1).
(7)
15
An earlier amendment of a statement under subsection (4) or withdrawal of
a designation under subsection (5) may be made if since that day—
(a) a Parliamentary general election has taken place, or
(b) the Secretary of State considers that there has been a significant change
in—
(i)
20
the policy of His Majesty’s Government relating to the security
and resilience of network and information systems used or
relied on in connection with the carrying on of essential
activities, or
(ii) the nature of threats to the security and resilience of such
network and information systems.
25(8) For the purposes of this section, corrections of clerical or typographical errors
are not to be treated as amendments made to the statement.
26 Consultation and procedure in relation to statement
(1) This section sets out the requirements that must be satisfied in relation to a
statement before the Secretary of State may designate it under section 25(1).
30(2) The Secretary of State must consult the regulatory authorities on a draft of
the statement.
(3) The Secretary of State must allow the regulatory authorities a period of at
least 40 days to respond to the consultation.
(4) After that period has ended the Secretary of State—
35(a) must make any changes to the draft that appear to the Secretary of
State to be appropriate in light of responses to the consultation, and
(b) must then lay the statement before Parliament.
(5) The Secretary of State must wait until the end of the 40-day period and may
40
not designate the statement if, within that period, either House of Parliament
resolves not to approve it.
Cyber Security and Resilience (Network and Information Systems) Bill 52
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 2—Statement of strategic priorities etc

(6) “The 40-day period” is the period of 40 days beginning with the day on which
the statement is laid before Parliament (or, if it is not laid before each House
on the same day, the later of the days on which it is laid).
(7)
5
In calculating the 40-day period, no account is to be taken of any period
during which Parliament is dissolved or prorogued or during which both
Houses are adjourned for more than 4 days.
(8) Subsections (2) and (3) may be satisfied by consultation carried out before
the coming into force of this section.
27 Duties of regulatory authorities in relation to statement
10(1) This section applies where a statement is for the time being designated under
section 25(1).
(2) Each regulatory authority must, when exercising any of its functions under
or by virtue of the legislation mentioned in subsection (3)—
(a) have regard to the statement, and
15(b) seek to achieve any relevant objectives set out in the statement.
(3) The legislation referred to in subsection (2) is—
(a) the NIS Regulations, and
(b) this Part and Part 4.
28 Report by Secretary of State
20(1) The Secretary of State must, after the end of each reporting period, lay before
Parliament a report setting out, in general terms, how regulatory authorities—
(a) have complied with their duties under section 27 during the reporting
period, and
(b)
25
are planning to comply with their duties under that section during
the subsequent reporting period.
(2) The Secretary of State must publish a report under subsection (1) in such
manner as the Secretary of State considers appropriate.
(3) In this section, “reporting period” means—
(a)
30
the period of 12 months beginning with the day on which the first
statement designated under section 25(1) is published under section
25(3), and
(b) each subsequent period of 12 months.
(4) The Secretary of State may by notice require a regulatory authority to provide
35
the Secretary of State with such information for the purposes of a report
under subsection (1) as may be specified in the notice.
(5) A regulatory authority to which a notice is given under subsection (4) must
provide the information by such time and in such form as may be specified
in the notice.
53 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 2—Statement of strategic priorities etc

CHAPTER 3
REGULATIONS ABOUT SECURITY AND RESILIENCE OF SYSTEMS
29 Regulations relating to security and resilience of network and information
systems
5(1) The Secretary of State may by regulations make provision for the purposes
of or in connection with the following objectives—
(a) the identification, management and reduction of risks of security or
operational compromises in relation to relevant network and
information systems;
10(b) the mitigation of adverse impacts resulting from such security or
operational compromises.
(2) Provision for the purposes of or in connection with the objectives mentioned
in subsection (1) may in particular include provision with a view to
15
strengthening the resilience of relevant network and information systems and
the resilience and security of their surrounding physical environment.
(3) For the purposes of this Chapter, a network and information system is
“relevant” if—
(a) it is used or relied on in connection with the carrying on of an essential
activity or the provision of an activity-critical supply, or
20(b) it is associated with a system to which paragraph (a) applies.
(4) A network and information system is “associated” with a system to which
subsection (3)(a) applies if the occurrence of a security or operational
compromise in relation to either of those systems would be likely to put the
other system at increased risk of a security or operational compromise.
25(5) In this Chapter, “security or operational compromise”, in relation to a relevant
network and information system, means—
(a) anything that compromises the security, availability, functionality or
reliability of the system,
(b)
30
any unauthorised access to, interference with or exploitation of the
system or anything which enables such access, interference or
exploitation,
(c) anything that compromises the confidentiality, authenticity, integrity
or availability of data stored on or processed, received or transmitted
by the system, or
35(d) anything that causes data stored on or processed by the system to be
lost.
(6) In this Chapter, “activity-critical supply” means a supply of goods or services
without which the carrying on of an essential activity would be at risk of
disruption.
Cyber Security and Resilience (Network and Information Systems) Bill 54
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

30 Imposition of requirements on regulated persons
(1) Regulations under section 29(1) may impose requirements on regulated
persons.
(2)
5
In this Chapter, “regulated person” means a person specified, or of a
description specified, for the purposes of this subsection.
(3) A person or description may be specified for the purposes of subsection (2)
only if the person, or every person of that description—
(a) carries on an essential activity in the United Kingdom, or
(b) provides an activity-critical supply,
10(whether or not the person is established in the United Kingdom).
(4) Provision made by virtue of subsection (2) may in particular be framed by
reference to whether the person, or every person of that description, is for
the time being designated by a regulatory authority in accordance with
provision made by regulations under section 29(1).
15(5) The following are to be treated as having been specified for the purposes of
subsection (2)—
(a) an operator of an essential service (within the meaning of the NIS
Regulations);
(b)
20
a relevant digital service provider (within the meaning of those
Regulations);
(c) a relevant managed service provider (within the meaning of those
Regulations);
(d) a critical supplier (within the meaning of those Regulations).
(6)
25
The requirements which may be imposed by virtue of subsection (1) include,
in particular—
(a) requirements to take specified action, or action of a specified
description, for the purposes of or in connection with an objective
mentioned in section 29(1) (and such measures may include measures
outside the United Kingdom);
30(b) requirements in the form of prohibitions or restrictions relating to the
taking of specified action or action of a specified description;
(c) requirements relating to the reporting of specified matters;
(d) requirements to provide information to regulatory authorities and
other persons;
35(e) requirements relating to the appointment of a representative in the
United Kingdom (in the case of a regulated person established outside
the United Kingdom).
(7) In this section, “specified” means specified in regulations under section 29(1).
55 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

31 Functions of regulatory authorities: enforcement, sanctions and appeals
(1) Regulations under section 29(1) may confer functions on regulatory authorities
in connection with—
(a) monitoring compliance with relevant requirements;
5(b) investigating suspected non-compliance with relevant requirements;
(c) securing compliance with relevant requirements;
(d) mitigating the effect of non-compliance with relevant requirements.
(2) “Relevant requirement” means a requirement imposed under or by virtue
of—
10(a) regulations under section 29(1), or
(b) the NIS Regulations.
(3) Provision made by virtue of subsection (1) may include provision—
(a) conferring power on a regulatory authority to appoint inspectors to
carry out functions under the regulations;
15(b) conferring functions on a regulatory authority or an inspector,
including power—
(i) to enter, inspect and search premises;
(ii) to seize and retain documents, information or other things
20
which may be relevant to the carrying out of functions under
the regulations;
(iii) to require a person to obtain, generate, collect or retain
documents or information (including documents or information
outside the United Kingdom) or other things which may be
relevant to the carrying out of functions under the regulations;
25(iv) to carry out tests or interviews;
(v) to require a person to take steps (including steps outside the
United Kingdom) for the purpose of demonstrating compliance
with a relevant requirement or remedying or mitigating a
failure to comply with such a requirement.
30(4) Regulations under section 29(1) which confer any power described in
subsection (3)(b) may impose conditions relating to the exercise of the power,
including for example conditions requiring a person exercising the power—
(a) to produce evidence of their identity or authority;
(b)
35
to obtain a warrant from a person specified in the regulations before
exercising the power.
(5) Provision made by virtue of subsection (1) may include provision conferring
powers on regulatory authorities for or in connection with sanctions, including
financial penalties, for non-compliance with relevant requirements.
(6) Regulations under section 29(1)—
40(a) must, where they provide for financial penalties, make provision about
appeals to a court or tribunal against the imposition of such a penalty;
Cyber Security and Resilience (Network and Information Systems) Bill 56
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

(b) may make provision about appeals to a court or tribunal against
decisions or actions (including the imposition of a sanction other than
a financial penalty) under or by virtue of the regulations.
(7)
5
The provision that may be made in reliance on subsection (6) includes
provision—
(a) about the grounds on which an appeal may be made;
(b) about the procedure for making an appeal (including any fee that may
be payable);
(c)
10
suspending the effect of any decision, penalty or other action pending
determination of the appeal;
(d) about the powers of the court or tribunal to which an appeal is made;
(e) for the recovery (whether by action on a debt or otherwise) of any
sum payable in pursuance of a decision of the court or tribunal.
(8)
15
Provision referred to in subsection (7)(d) includes provision conferring on the
court or tribunal to which an appeal is made power—
(a) to confirm a financial penalty;
(b) to withdraw a financial penalty;
(c) to vary the amount of a financial penalty;
(d) to award costs.
2032 Provision about financial penalties
(1) Where regulations under section 29(1) make provision for or in connection
with the imposition of financial penalties by regulatory authorities, the
regulations—
(a)
25
may specify the amount of a penalty or provide for how the amount
of a penalty is to be determined;
(b) must, in providing for the imposition of a penalty, provide for how
a regulatory authority deals with sums received by it towards payment
of the penalty;
(c)
30
may provide for a regulatory authority to recover (whether by action
on a debt or otherwise) any unpaid part of a penalty payable to it.
(2) Regulations made by virtue of subsection (1)(a) may provide for the amount
of a penalty payable by a person to be determined by reference to a daily
rate.
(3)
35
Regulations made by virtue of subsection (1)(a) must include provision about
the maximum amount of a penalty payable by a person, which—
(a) where the person is an undertaking (within the meaning given by the
regulations), may not exceed the greater of—
(i) £17,000,000, and
(ii)
40
10% of the turnover of the undertaking (both inside and outside
the United Kingdom);
(b) in any other case, may not exceed £17,000,000,
57 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

and the regulations must include provision about how an undertaking’s
turnover is to be determined.
(4) Regulations that include provision within subsection (3) may, in particular—
(a)
5
include provision that a person of a description specified in the
regulations is or is not an undertaking;
(b) make provision about amounts which are, or are not, to be taken into
account in determining an undertaking’s turnover;
(c) make provision about the period by reference to which an
undertaking’s turnover is to be determined;
10(d) make provision conferring a power on the Secretary of State to make
a determination in a particular case in relation to matters mentioned
in the regulations (including the matters mentioned in paragraphs (b)
and (c));
(e)
15
provide, in a case where an undertaking is a member of a group, for
other members of the group to be treated as part of the undertaking
for the purposes of determining the undertaking’s turnover;
(f) provide, in a case where an undertaking controls or is controlled by
another person, for that person to be treated as part of the undertaking
for the purposes of determining the undertaking’s turnover,
20and references in paragraph (f) to control are to be construed in accordance
with the regulations.
(5) The Secretary of State may by regulations amend an amount specified in
subsection (3)(a)(i) or (b) for the purpose of reflecting inflation.
33
25
Regulatory authorities and other persons: information, guidance and other
functions
(1) Regulations under section 29(1) may confer functions on regulatory authorities
in connection with any of the following—
(a) the disclosure of information—
(i) between regulatory authorities;
30(ii) by regulatory authorities to other persons (including persons
outside the United Kingdom);
(iii) to regulatory authorities by other persons (including persons
outside the United Kingdom);
(b) the giving of guidance;
35(c) the keeping of records and registers;
(d) the preparation of reports;
(e) the carrying out of reviews;
(f) consultation and cooperation with other persons (including persons
outside the United Kingdom).
40(2) Provision described in subsection (1)(a) may include provision about—
(a) the circumstances in which, purposes for which and persons to which
information may or must be disclosed;
Cyber Security and Resilience (Network and Information Systems) Bill 58
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

(b) where the regulations authorise a person to require another person to
disclose information, how such a requirement is to be imposed;
(c) the type of information which may or must be disclosed;
(d) restrictions on disclosure;
5(e) how information disclosed may or may not be used.
(3) Except as provided by subsection (4), regulations under section 29(1) may
provide for the processing of information in accordance with the regulations
not to be in breach of—
(a)
10
any obligation of confidence owed by the person processing the
information, or
(b) any other restriction on the processing of the information (however
imposed).
(4) Regulations under section 29(1) may not require or authorise the making of
15
a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part
9 of the Investigatory Powers Act 2016.
(5) Regulations under section 29(1) may confer functions on persons (other than
regulatory authorities) which exercise functions of a public nature.
(6) Functions conferred by virtue of subsection (5) may include, in particular,
functions in connection with—
20(a) co-operating with, or consulting, other persons (including persons
outside the United Kingdom);
(b) submitting reports and carrying out analyses;
(c) monitoring incidents relating to relevant network and information
systems;
25(d) publicising and providing information relating to relevant network
and information systems;
(e) promoting best practice in relation to risk management and other
matters relating to the security of relevant network and information
systems.
3034 Recovery of costs of regulatory authorities
(1) Regulations under section 29(1) may make provision for a regulatory authority
to impose charges on persons which are or have been regulated persons in
respect of their relevant costs.
(2)
35
The “relevant costs” of a regulatory authority are its costs or expected costs
in connection with the exercise of functions conferred under or by virtue of—
(a) this Part or Part 4, or
(b) the NIS Regulations,
including costs in connection with the enforcement of relevant requirements.
(3)
40
Regulations made by virtue of subsection (1) may provide for the imposition
of charges by a regulatory authority in accordance with a scheme made by
the authority (a “charging scheme”).
59 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

(4) Regulations made by virtue of subsection (1) may include provision, or
authorise a charging scheme to include provision, about—
(a) the circumstances in which a charge is payable;
(b) the amount of a charge (including how an amount is to be calculated);
5(c) matters which must or may be taken into account by a regulatory
authority in calculating the amount of a charge;
(d) reductions, exemptions and waivers;
(e) how and when a charge is to be paid;
(f) the collection and recovery of payments;
10(g) interest payable on outstanding payments;
(h) the resolution of disputes (including appeals to a court or tribunal).
(5) Regulations made by virtue of subsection (1) may provide, or authorise a
charging scheme to provide, that a charge imposed on a person, or the amount
15
of such a charge, need not relate to the exercise of functions in relation to the
person.
(6) Provision made by virtue of subsection (4)(c) may in particular include
provision about deficits previously incurred by a regulatory authority.
(7) Regulations made by virtue of subsection (1) may authorise a charging scheme
20
to make different provision for different purposes (including different
provision in relation to different persons or circumstances).
(8) In this section, “relevant requirement” has the same meaning as in section
31.
35 Supplementary provision and interpretation
(1) Regulations under section 29(1) may—
25(a) confer functions involving the exercise of a discretion;
(b) provide for the delegation of functions by a regulatory authority;
(c) require a person to have regard to guidance or to a code of practice;
(d) make provision by reference to a document as amended from time to
time.
30(2) In this Chapter—
“activity-critical supply” has the meaning given by section 29(6);
“regulated person” has the meaning given by section 30(2);
“relevant network and information system” has the meaning given by
section 29(3);
35“security or operational compromise” has the meaning given by section
29(5).
(3) See also Chapter 6 (which contains further provision about regulations under
this Part).
Cyber Security and Resilience (Network and Information Systems) Bill 60
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 3—Regulations about security and resilience of systems

CHAPTER 4
CODE OF PRACTICE
36 Code of practice
(1)
5
The Secretary of State may issue a code of practice for regulated persons
describing measures recommended for the purposes of compliance with
requirements imposed on them under or by virtue of—
(a) regulations under section 29(1), or
(b) the NIS Regulations.
(2)
10
The Secretary of State may from time to time revise and reissue a code under
this section.
(3) Before preparing or revising a code under this section, the Secretary of State
must consult such persons as the Secretary of State considers appropriate.
(4) A code under this section—
(a)
15
may make different provision for different purposes (including different
provision for different descriptions of regulated persons);
(b) may contain transitional provisions and savings.
(5) In this Chapter, “regulated person” has the same meaning as in Chapter 3.
37 Procedure for issue of code of practice
(1)
20
Before issuing or reissuing a code of practice under section 36, the Secretary
of State must lay before Parliament a draft of the code as proposed to be
issued or reissued.
(2) If, within the 40-day period, either House of Parliament resolves not to
approve the draft laid under subsection (1)—
(a)
25
the Secretary of State must not issue or reissue the code in the form
of that draft, and
(b) the Secretary of State may prepare another code.
(3) If no such resolution is passed within the 40-day period, the Secretary of State
may issue or reissue the code of practice.
(4) If the code is issued or reissued—
30(a) the Secretary of State must publish it, and
(b) the code comes into force at the time of its publication, unless it
specifies a different time for its coming into force.
(5) In this section, “the 40-day period” means the period of 40 days beginning
35
with the day on which the draft is laid before Parliament (or, if the draft is
not laid before each House on the same day, the later of the days on which
it is laid).
61 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 4—Code of practice

(6) In calculating the 40-day period, no account is to be taken of any period
during which Parliament is dissolved or prorogued or during which both
Houses of Parliament are adjourned for more than 4 days.
(7)
5
The Secretary of State may by regulations change the procedure for issuing
or reissuing a code by amending—
(a) section 36, so far as it relates to consultation, and
(b) this section (other than this subsection).
38 Effects of code of practice
(1)
10
A failure by a regulated person to act in accordance with a provision of a
code under section 36—
(a) is not of itself evidence of a failure to comply with a requirement to
which the provision of the code relates, and
(b) does not of itself make the person liable to legal proceedings in a court
or tribunal.
15(2) A code under section 36 is admissible in evidence in legal proceedings.
(3) In any proceedings in a court or tribunal, the court or tribunal must take into
account a provision of a code under section 36 in determining a question
arising in the proceedings if—
(a) the question relates to a time when the provision was in force, and
20(b) the provision appears to the court or tribunal to be relevant to the
question.
(4) A regulatory authority must, when determining any question relating to a
regulated person’s compliance with a requirement imposed under or by virtue
25
of regulations under section 29(1) or the NIS Regulations, take into account
any provision of a code under section 36 if—
(a) the question relates to a time when the provision was in force, and
(b) the provision appears to the authority to be relevant to the question.
39 Withdrawal of code of practice
(1) The Secretary of State may withdraw a code issued under section 36.
30(2) Before withdrawing a code, the Secretary of State must consult such persons
as the Secretary of State considers appropriate on the proposal to withdraw
the code.
(3) If the Secretary of State decides to withdraw a code, the Secretary of State
must lay before Parliament notice of the withdrawal of the code.
35(4) A withdrawal of a code has effect at the end of the 40-day period unless the
notice under subsection (3) specifies that the withdrawal has effect at a
different time; and a notice may specify different times for different purposes
and may include savings.
Cyber Security and Resilience (Network and Information Systems) Bill 62
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 4—Code of practice

(5) In subsection (4), “the 40-day period” has the same meaning as in section 37
(reading references in section 37(5) to a draft of the code as references to the
notice).
CHAPTER 5
5REPORT ON NETWORK AND INFORMATION SYSTEMS LEGISLATION
40 Report on network and information systems legislation
(1) The Secretary of State must at least once every 5 years beginning with the
day on which this Act is passed—
(a)
10
lay before Parliament a report on the operation of the legislation
mentioned in subsection (3) during the review period, and
(b) publish the report.
(2) The review period means—
(a) in relation to the first report, the period between the day on which
this Act is passed and the publication of the report;
15(b) in relation to any other report, the period since the publication of the
preceding report.
(3) The legislation referred to in subsection (1)(a) is such of the following
legislation as has been in force at any time during the review period in
question—
20(a) the NIS Regulations;
(b) this Part and Part 4;
(c) regulations under any provision of Chapter 1 or 3 of this Part.
(4) A report must in particular—
(a)
25
set out the objectives intended to be achieved by the legislation
mentioned in subsection (3);
(b) assess the extent to which those objectives have been achieved;
(c) assess whether those objectives remain appropriate;
(d) if those objectives remain appropriate, assess the extent to which they
30
could be achieved in another way which involves less onerous
regulatory provision (as defined by section 32(4) of the Small Business,
Enterprise and Employment Act 2015);
(e) review any exercise of the powers conferred on the Secretary of State
by this Part and Part 4 during the review period in question.
(5)
35
The Secretary of State may by regulations amend this section so as to change
the matters to be covered in reports.
(6) The Secretary of State may by notice given to a regulatory authority require
the authority to provide such information as the Secretary of State may
reasonably require for the purposes of a report.
63 Cyber Security and Resilience (Network and Information Systems) Bill
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 5—Report on network and information systems legislation

CHAPTER 6
REGULATIONS UNDER PART 3
41 Regulations under section 24 or Chapter 3
(1) Regulations under section 24 or Chapter 3 may—
5(a) make different provision for different purposes (including different
provision for different descriptions of regulated person as defined by
section 30(2));
(b) make provision subject to exceptions;
(c) make different provision for different areas;
10(d) make provision about application to the Crown;
(e) make provision about application to relevant UK waters;
(f) make consequential, supplementary, incidental, transitional or saving
provision.
(2) In subsection (1)(e), “relevant UK waters” means—
15(a) internal waters of the United Kingdom,
(b) the territorial sea adjacent to the United Kingdom, and
(c) the sea (including the seabed and subsoil) in any area designated
under section 1(7) of the Continental Shelf Act 1964.
(3)
20
The consequential provision that may be made by virtue of subsection (1)(f)
includes provision amending or repealing provision made by primary
legislation.
(4) In subsection (3), “primary legislation” means—
(a) an Act of Parliament (including this Act),
(b) an Act of the Scottish Parliament,
25(c) an Act or Measure of Senedd Cymru, or
(d) Northern Ireland legislation.
42 Consultation and procedure
(1) The Secretary of State must consult such persons as the Secretary of State
considers appropriate before making—
30(a) regulations under section 24(3) (essential activities);
(b) regulations under section 24(6) (designation of regulatory authorities);
(c) regulations under section 29(1) which contain provision to which
subsection (2) applies;
(d)
35
regulations under section 40(5) (matters to be covered in reports on
legislation).
(2) This subsection applies to provision made by virtue of any of the following—
(a) section 30(1) (imposition of requirements on regulated persons), other
than provision described in section 30(4) (designation of regulated
persons);
Cyber Security and Resilience (Network and Information Systems) Bill 64
Part 3—Security and resilience of systems: functions of the Secretary of State
Chapter 6—Regulations under Part 3

(b) section 31(1) (functions of regulatory authorities);
(c) section 31(6) (appeals), other than provision described in section
31(7)(b) (procedure);
(d)
5
section 32(3) (maximum amount of penalties), other than where the
provision is made for the purpose of reflecting inflation;
(e) section 33(1)(a) (disclosure of information), other than provision
described in section 33(2)(b) (form of requirement to disclose
information);
(f) section 33(5) (functions of other persons);
10(g) section 34 (recovery of costs).
(3) The duty under subsection (1) may be satisfied by consultation carried out
before the coming into force of this section.
(4) Regulations under this Part are to be made by statutory instrument.
(5) A statutory instrument containing regulations under this Part—
15(a) in relation to which consultation is required by subsection (1), or
(b) which amend primary legislation as defined by section 41(4),
may not be made unless a draft of the instrument has been laid before and
approved by a resolution of each House of Parliament.
(6)
20
Any other statutory instrument containing regulations under this Part is
subject to annulment in pursuance of a resolution of either House of
Parliament.
PART 4
DIRECTIONS FOR NATIONAL SECURITY PURPOSES
Directions to regulated persons
2543 Directions to regulated persons
(1) The Secretary of State may give a direction to a regulated person if the
Secretary of State considers that—
(a) the occurrence of a security or operational compromise in relation to
30
a relevant network and information system, or the threat of such an
occurrence, gives rise to a risk to national security, and
(b) the giving of the direction is necessary and proportionate in the
interests of national security.
(2) A direction under this section is a direction requiring the person to which it
is given to do, or not to do, a particular thing specified in the direction.
35(3) A direction under this section may in particular impose any of the following
kinds of requirement—
(a) a requirement relating to the management of relevant network and
information systems;
65 Cyber Security and Resilience (Network and Information Systems) Bill
Part 4—Directions for national security purposes

(b) a requirement designed to reduce risks relating to, or to mitigate
impacts on, the carrying on of an essential activity or the provision
of an activity-critical supply;
(c)
5
a requirement relating to the provision of information, including
information relating to compliance with the direction;
(d) a requirement in the form of a prohibition or restriction on the use of
goods, services or facilities;
(e) a requirement in the form of a prohibition on the installation of goods
or the taking up of services or facilities;
10(f) a requirement relating to removing, disabling or modifying goods or
facilities or modifying services;
(g) a requirement for the person to which the direction is given (“P”) to
appoint a person with expertise in relation to the security of network
15
and information systems (a “skilled person”) for the purpose of
assisting P to comply with the direction;
(h) a requirement for a thing to be done or not done in or in relation to
the United Kingdom, relevant UK waters (as defined by section 41(2))
or a place other than the United Kingdom.
(4)
20
It does not matter for the purposes of subsection (1) whether or not the risk
referred to in subsection (1)(a) is one that relates to the carrying on of an
essential activity or the provision of an activity-critical supply.
(5) A direction under this section must specify—
(a) the person to which it is given;
(b)
25
the reasons for the direction, except if or to the extent that the Secretary
of State considers it would be contrary to the interests of national
security to do so;
(c) the time at which the direction comes into force;
(d) in relation to each requirement imposed by the direction that requires
30
a thing to be done, a reasonable period within which the requirement
must be complied with.
(6) A person to which a direction is given under this section must comply with
it.
(7) A person to which a direction is given under this section (“P”)—
(a)
35
must obtain the written approval of the Secretary of State before
appointing a skilled person for the purpose of assisting P to comply
with the direction (whether or not in pursuance of a requirement
imposed by virtue of subsection (3)(g));
(b) must notify the Secretary of State as soon as reasonably practicable
40
after appointing a skilled person (whether or not in pursuance of such
a requirement).
(8) For the purposes of giving approval as required by subsection (7)(a), the
Secretary of State may rely on a list of persons published by the Government
Communications Headquarters.
Cyber Security and Resilience (Network and Information Systems) Bill 66
Part 4—Directions for national security purposes

(9) Before giving a direction under this section to a person, the Secretary of State
must consult that person and such other persons as the Secretary of State
considers appropriate, so far as it is reasonably practicable to do so.
(10)
5
The duty under subsection (9) does not apply if or to the extent that the
Secretary of State considers that compliance with the duty would be contrary
to the interests of national security.
(11) The Secretary of State may require—
(a) a person to which a direction is given under this section not to disclose,
10
in whole or part, the existence of the direction and the contents of the
direction without the permission of the Secretary of State;
(b) a person consulted under subsection (9) not to disclose, in whole or
part, the existence of the consultation and any information disclosed
to the person in the consultation without the permission of the
Secretary of State.
15(12) The Secretary of State may not impose a requirement under subsection (11)
unless the Secretary of State considers that the requirement is necessary and
proportionate in the interests of national security.
44 Compliance with directions under section 43 to take priority
(1) This section applies in a case where the Secretary of State—
20(a) considers (following representations or otherwise) that it is not
reasonably practicable for a regulated person to comply with both—
(i) a requirement imposed by a direction given to the person under
section 43, and
(ii)
25
another requirement of a regulatory nature imposed under or
by virtue of any enactment (“the conflicting requirement”), and
(b) has notified the person of that fact.
(2) In such a case, the duty of the regulated person to comply with the conflicting
requirement does not apply so far as it conflicts with the requirement
mentioned in subsection (1)(a)(i).
30(3) The Secretary of State must notify any relevant regulator of the fact that the
regulated person is not required to comply with the conflicting requirement.
(4) “Relevant regulator” means a person which may exercise a regulatory function
(within the meaning of the Legislative and Regulatory Reform Act 2006) in
relation to—
35(a) the regulated person, and
(b) the conflicting requirement.
(5) The duty under subsection (3) does not apply if or to the extent that the
Secretary of State considers that compliance with the duty would be contrary
to the interests of national security.
40(6) Subsection (7) applies if under section 54 the Secretary of State—
67 Cyber Security and Resilience (Network and Information Systems) Bill
Part 4—Directions for national security purposes

(a) varies the direction so as to remove the requirement mentioned in
subsection (1)(a)(i), or
(b) revokes the direction.
(7) In such a case—
5(a) subsection (2) ceases to apply, and
(b) the Secretary of State must notify the regulated person and any relevant
regulator notified under subsection (3) that subsection (2) has ceased
to apply in relation to the conflicting requirement.
(8)
10
In this section “enactment” includes an enactment comprised in, or in an
instrument made under, an Act of the Scottish Parliament.
Monitoring of compliance with directions
45 Monitoring by regulatory authorities
(1) The Secretary of State may direct a regulatory authority—
(a)
15
to obtain information relating to a person’s compliance with a direction
given to the person under section 43,
(b) to prepare and send a report to the Secretary of State based on that
information, and
(c) to provide to the Secretary of State on request the information on
which a report falling within paragraph (b) is based.
20(2) The information that the regulatory authority may be required to obtain under
subsection (1)(a) is information which would assist the Secretary of State in
determining whether the person has complied, is complying or is preparing
to comply with the direction under section 43 or a particular requirement
imposed by the direction.
25(3) A regulatory authority to which a direction is given under this section must
comply with it.
(4) A direction under this section may, in particular—
(a) require a report to include the regulatory authority’s analysis of
30
information gathered by the authority and an explanation of its
analysis;
(b) make provision about the form and content of a report;
(c) require the authority to give the Secretary of State separate reports on
different matters;
(d)
35
make provision about when the authority must report to the Secretary
of State, including provision requiring the authority to give reports at
intervals specified in the direction.
(5) A regulatory authority to which a direction is given under this section must
exercise its power under section 46(2) (information gathering) in such manner
40
as it considers appropriate for the purposes of preparing a report required
by the direction.
Cyber Security and Resilience (Network and Information Systems) Bill 68
Part 4—Directions for national security purposes

(6) The Secretary of State may vary or revoke a direction under this section.
(7) Before varying or revoking a direction under this section, the Secretary of
State must consult the regulatory authority to which the direction was given.
(8)
5
A direction may not be given under this section to a regulatory authority
which is—
(a) a Minister of the Crown,
(b) a member of the Scottish Government or a junior Scottish Minister,
(c) the Welsh Government, or
(d) a Northern Ireland department.
10(9) But subsection (8) does not prevent a regulatory authority referred to in that
subsection from doing the things described in subsection (1) following a
request made to the authority by the Secretary of State.
(10) The Secretary of State may disclose a report made by a regulatory authority
in pursuance of subsection (1)(b) or (9).
15(11) In disclosing such a report, the Secretary of State must have regard to the
need to exclude from disclosure, so far as is practicable—
(a) information which relates to the affairs of a particular body and
disclosure of which would or might, in the Secretary of State’s opinion,
seriously and prejudicially affect the interests of that body;
20(b) information which relates to the private affairs of an individual and
disclosure of which would or might, in the Secretary of State’s opinion,
seriously and prejudicially affect the interests of that individual.
Information gathering and inspections
46 Information gathering
25(1) The Secretary of State may require a person to give the Secretary of State
such information or documents as the Secretary of State reasonably requires
for the purpose of exercising, or deciding whether to exercise, any of the
Secretary of State’s functions under this Part.
(2)
30
A regulatory authority may require a regulated person to give the authority
such information or documents as it reasonably requires for the purpose of
complying with—
(a) a direction given to the authority under section 45, or
(b) a request of a kind referred to in section 45(9).
(3)
35
A power under subsection (1) or (2) is to be exercised by giving the person
in question a notice in writing (an “information notice”).
(4) An information notice must—
(a) specify or describe the information or documents sought,
69 Cyber Security and Resilience (Network and Information Systems) Bill
Part 4—Directions for national security purposes

(b) explain why the information or documents are being sought, except
if or to the extent that the person giving the notice considers it would
be contrary to the interests of national security to do so,
(c)
5
specify the manner and form in which the information or documents
must be given,
(d) specify the time by which, or period within which, the information
or documents must be given, and
(e) include information about the possible consequences of not complying
with the notice.
10(5) A power under subsection (1) or (2) to require a person to give information
includes the power to require the person—
(a) to obtain or generate information or documents;
(b) to collect or retain information or documents that the person would
15
not otherwise collect or retain for the purpose of giving it under the
subsection in question.
(6) A person to which an information notice is given must comply with the
requirements imposed by the notice.
(7) The powers conferred by this section are exercisable in relation to information
or documents whether stored within or outside the United Kingdom.
20(8) A person may not be required by an information notice to give a privileged
communication to the Secretary of State or a regulatory authority.
(9) A “privileged communication” is a communication—
(a) between a professional legal adviser and their client, or
(b)
25
made in connection with, or in contemplation of, legal proceedings
and for the purposes of those proceedings,
which in proceedings in the High Court would be protected from disclosure
on grounds of legal professional privilege.
(10) An information notice given to a person (“P”) may be revoked by notice given
to P by the person which gave the information notice.
30(11) In the application of this section to Scotland—
(a) the reference to the High Court is to be read as a reference to the
Court of Session;
(b) the reference to legal professional privilege is to be read as a reference
to the confidentiality of communications.
35(12) The power under subsection (1) may not be exercised in relation to—
(a) the person designated by regulation 4 of the NIS Regulations (single
point of contact), or
(b) the person designated by regulation 5 of the NIS Regulations (computer
security incident response team).
Cyber Security and Resilience (Network and Information Systems) Bill 70
Part 4—Directions for national security purposes

47 Inspections
(1) In this section “inspection” means any activity carried out for the purposes
of or in connection with—
(a)
5
verifying compliance with a direction under section 43 or a
confirmation decision under section 50, or
(b) assessing or gathering evidence of a potential or alleged failure to
comply with such a direction or decision.
(2) The Secretary of State may—
(a) carry out all or any part of an inspection;
10(b) appoint a person to carry out all or any part of an inspection on the
Secretary of State’s behalf (on such terms and in such a manner as
the Secretary of State considers appropriate);
(c) direct a regulated person to appoint a person who is approved by the
15
Secretary of State to carry out all or any part of an inspection on the
Secretary of State’s behalf.
(3) Where a regulatory authority is subject to a direction under section 45 or a
request has been made to it under section 45(9), it may—
(a) carry out all or any part of an inspection;
(b)
20
appoint a person to carry out all or any part of an inspection on behalf
of the authority (on such terms and in such a manner as the authority
considers appropriate);
(c) direct a regulated person to appoint a person who is approved by the
authority to carry out all or any part of an inspection on its behalf.
(4)
25
For the purposes of an inspection under subsection (2) or (3), the regulated
person must—
(a) pay the reasonable costs of the inspection if so required by the
Secretary of State or regulatory authority (as the case may be);
(b) co-operate with the inspector;
(c)
30
provide the inspector with access to their premises in accordance with
subsection (6);
(d) allow the inspector to examine, print, copy or remove any document
or information, and examine or remove any material or equipment,
in accordance with subsection (8)(c);
(e)
35
allow the inspector access to any person from whom the inspector
seeks information for the purposes of the inspection;
(f) not intentionally obstruct an inspector performing their functions in
relation to the carrying out of the inspection;
(g) comply with any request made by, or requirement of, an inspector in
connection with the carrying out of an inspection.
40(5) An inspector must, before carrying out all or part of an inspection under
subsection (2) or (3), give the regulated person to which the inspection relates
a notice setting out information about the possible consequences of failure to
comply with the duties imposed by subsection (4).
71 Cyber Security and Resilience (Network and Information Systems) Bill
Part 4—Directions for national security purposes

(6) An inspector may at any reasonable time enter the premises of a regulated
person, except any premises used wholly or mainly as a private dwelling, if
the inspector has reasonable grounds to believe that entry to the premises
may be expedient for the purposes of the inspection.
5(7) Before entering any premises under this section, the inspector must—
(a) produce evidence of their identity, and
(b) outline the purpose for which the power is exercised,
if asked to do so by a person on the premises.
(8)
10
On entering any premises under this section, an inspector may (for the
purposes of the inspection)—
(a) require the regulated person to maintain (without alteration) any
material, document, information or equipment found on the premises
or accessible from the premises;
(b)
15
require the regulated person to produce and provide the inspector
with access to any material, document, information or equipment;
(c) examine, print, copy or remove any document or information, and
examine or remove any material or equipment (including for the
purposes of printing or copying any document or information);
(d) interview any person;
20(e) carry out, or direct the regulated person to carry out, a test relating
to the security of a network and information system, including a
component of the system or a process connected with the system;
(f) take such other action as the inspector considers appropriate.
(9)
25
A person may not be required under this section to produce, or provide an
inspector with access to, a privileged communication (within the meaning
given by section 46(9)).
(10) The powers conferred by this section—
(a) are not exercisable in relation to premises, material, equipment or
individuals outside the United Kingdom;
30(b) are exercisable in relation to documents or information whether stored
within or outside the United Kingdom.
(11) In this section, “inspector” means a person carrying out all or any part of an
inspection in accordance with this section.
Enforcement of requirements
3548 Notification of contravention
(1) Where an enforcement authority determines that there are reasonable grounds
for believing that a person is contravening or has contravened a relevant
requirement, the authority may give the person a notification under this
section.
40(2) In this section and sections 49 to 51—
Cyber Security and Resilience (Network and Information Systems) Bill 72
Part 4—Directions for national security purposes

(a) “relevant requirement” means a requirement imposed—
(i) by a direction under section 43,
(ii) by section 43(7)(a) (approval of skilled persons),
(iii)
5
under section 46(1) or (2) (requirement to give information),
or
(iv) under or by virtue of section 47(2)(c), (3)(c) or (4) (requirement
relating to an inspection);
(b) “enforcement authority”—
(i)
10
in relation to a relevant requirement within paragraph (a)(i)
or (ii), means the Secretary of State;
(ii) in relation to any other relevant requirement, means the person
which imposed the requirement.
(3) A notification under this section is one which—
(a) sets out the enforcement authority’s determination,
15(b) specifies the requirement and contravention in respect of which the
determination is made,
(c) specifies the period during which the person to which the notification
is given has an opportunity to make representations,
(d)
20
specifies the steps which the enforcement authority thinks should be
taken by that person in order to—
(i) comply with the requirement, and
(ii) remedy the consequences of the contravention, and
(e) specifies the penalty which the enforcement authority is minded to
impose.
25(4) A notification may be given in respect of more than one contravention; and,
where such a notification is given, a separate penalty may be specified under
subsection (3)(e) in respect of each contravention.
(5) If a notification is given in respect of a continuing contravention—
(a)
30
it may be given in respect of any period during which the
contravention has continued;
(b) no more than one penalty may be specified under subsection (3)(e) in
respect of the period of contravention specified in the notification.
(6) Notwithstanding subsection (5)(b), in relation to a continuing contravention,
35
a penalty may be specified in respect of each day on which the contravention
continues after—
(a) the giving of a confirmation decision under section 50 which requires
immediate action in respect of that contravention (see section 50(5)(a)),
or
(b)
40
the expiry of any period specified in the confirmation decision for
complying with the requirement being contravened.
(7) Where a notification has been given to a person in respect of a contravention
of a requirement, an enforcement authority may only give a further notification
in respect of the same contravention if—
73 Cyber Security and Resilience (Network and Information Systems) Bill
Part 4—Directions for national security purposes

(a) the contravention is a continuing contravention and the subsequent
notification is in respect of so much of a period as falls after a period
to which the earlier notification relates, or
(b)
5
the earlier notification has been withdrawn without a penalty having
been imposed in respect of the notified contravention.
(8) It is immaterial for the purposes of this section whether conduct that
constitutes or causes a contravention of a relevant requirement occurs inside
the United Kingdom or elsewhere.
(9)
10
If the condition in subsection (10) is met, an enforcement authority may
require a person subject to a notification under this section not to disclose to
any other person the existence or contents of—
(a) the notification, or
(b) a part of the notification specified by the authority,
without the permission of the authority.
15(10) The condition is that the Secretary of State considers that it would be contrary
to the interests of national security for the existence or contents of the whole
or specified part of the notification to be disclosed.
49 Penalty amounts
(1)
20
The amount of a penalty that may be specified in a notification under section
48 is such amount as the enforcement authority determines to be—
(a) appropriate, and
(b) proportionate to the contravention in respect of which it is imposed.
(2) The amount of a penalty may not exceed—
(a)
25
in the case of a contravention of a requirement imposed by a direction
under section 43 or by section 43(7)(a) by a person which is an
undertaking—
(i) £17,000,000, or
(ii) where regulations under subsection (5) are in force, the greater
of—
30(A) £17,000,000, and
(B) 10% of the turnover of the undertaking (both inside
and outside the United Kingdom);
(b) in the case of a contravention of a requirement referred to in paragraph
(a) by a person which is not an undertaking, £17,000,000;
35(c) in the case of a contravention by a regulated person of a requirement
to give information under section 46(1) or (2) or of a requirement
relating to an inspection imposed under or by virtue of section 47(2)(c),
(3)(c) or (4), £10,000,000.
(3)
40
In the case of a penalty specified under section 48(6), the amount may not
exceed (subject to subsection (2))—
Cyber Security and Resilience (Network and Information Systems) Bill 74
Part 4—Directions for national security purposes