|
|
|
Obligation on providers to take measures to manage risk
|
| |
6. (1) Providers shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services.
|
|
| |
(2) Measures taken in accordance with subsection (1) shall ensure a level of security appropriate to the risk presented having regard to the state of the art.
|
|
| |
(3) In particular, measures, including the use of encryption where appropriate, shall be taken by providers to prevent security incidents and minimise the impact of any security incident on users and on other networks and services.
|
|
| |
(4) The Minister, having consulted with the Commission, may make regulations in relation to the types of measures to be taken by providers to manage risks in accordance with subsection (1).
|
|
| |
(5) Regulations under subsection (4) may—
|
|
| |
(a) contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of ensuring that risks posed to the security of networks and services are appropriately managed,
|
|
| |
(b) apply generally or to such class of providers, electronic communications networks or electronic communications services, technologies, equipment, associated facilities or associated services as the Minister may prescribe, and
|
|
| |
(c) include different provisions in relation to different classes of providers, electronic communications networks or electronic communications services, technologies, equipment, associated facilities or associated services.
|
|
| |
(6) Subject to subsection (8), the Minister shall, before making regulations under subsection (4), publish a draft of the proposed regulations on a website maintained by or on behalf of the Department of the Environment, Climate and Communications and allow a period of 30 days beginning on the day on which the draft is published during which persons may make written representations to the Minister in relation to the proposed regulations.
|
|
| |
(7) The Minister may, having considered any representations received during the period specified in subsection (6), make the regulations with or without modification.
|
|
| |
(8) Where the Minister is satisfied that regulations under subsection (4) are required urgently in order to prevent a serious imminent risk to the security of networks and services, to the health or safety of persons or to property, the Minister may make the regulations without complying with subsection (6).
|
|
| |
(9) Subsections (1), (2) and (3) areregulatory provisions.
|
|
| |
(10) A provider that fails to comply with a provision of regulations made under this section that is stated in the regulations to be a penal provision commits an offence and is liable on summary conviction to a class A fine.
|
