The Network and Information Systems (Amendment etc) (EU Exit) Regulations 2019 SI 2019/653 have been made. They are made under section 8(1) of the European Union (Withdrawal) Act 2018 to address failures of retained EU law to operate effectively and other deficiencies arising from the withdrawal of the UK from the EU.
The NIS Directive 2016/1148/EU was transposed into UK domestic legislation in May 2018 by the Network and Information Systems Regulations 2018 SI 2018/50. The NIS Regulations provide legal measures aimed at boosting the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential services and relevant digital services. The NIS Regulations apply to digital service providers and operators of essential services in the energy, transport, health, water, and digital infrastructure sectors.
Part 1 of the 2019 Regulations amends the NIS Regulations and Part 2 amends Regulation (EU) 2018/151 as retained by the European Union (Withdrawal) Act 2018. It also revokes Regulation (EU) No 526/2013 concerning the European Union Agency for Network and Information Security (ENISA Regulation) and repeals Regulation (EC) No 460/2004 as retained by the Act.
The NIS Regulations place obligations on GCHQ and the NIS enforcement authorities (the Information Commissioner and the competent authorities which regulate the operators of essential services) to liaise, consult, co-operate and share information with certain EU bodies. The obligations derive from the NIS Directive. The UK will no longer be a member state following the UK’s withdrawal from the EU and it will therefore no longer be appropriate to require these bodies to carry out these functions. The 2019 Regulations therefore amend the NIS Regulations to remove those obligations whilst retaining the ability of these bodies to continue to exercise those functions if required.
Regulation 2 of the NIS Regulations is amended to remove the obligation on UK ministers to communicate the NIS national strategy to the European Commission.
The retained version of Regulation (EU) 2018/151 is amended to remove references to EU based services providers and to convert from Euros into sterling.
The retained ENISA Regulation is being revoked because it establishes and confers functions upon the European Union Agency for Network and Information Security, which is an EU body. The Regulation is retained by the Act and cannot operate to have any effect in UK law. It is therefore being revoked so as to remove it from the UK statute book.
The Regulations apply to the whole of the UK and come into force 20 days after exit day.