|
|
|
Commission to monitor providers’ compliance with relevant vendor measures
|
| |
33. (1) The Commission shall take reasonable steps to monitor providers’ compliance with relevant vendor measures.
|
|
| |
(2) For the purposes of subsection (1), the Commission may serve a direction on a provider which may require the provider to do one or more of the following:
|
|
| |
(a) to provide information needed to assess whether a provider has complied with a relevant vendor measure taken by the Minister;
|
|
| |
(b) where the Commission has reasonable grounds to believe that a provider is failing, or has failed, to comply with a relevant vendor measure, to provide a statement to the Commission indicating what measures the provider has taken to comply with the measure and, where the provider has failed to comply with the measure, explaining the reasons for such failure;
|
|
| |
(c) to submit to a security audit referred to in subsection (3) by the Commission or a qualified independent person nominated by the Commission and to make the results of any security audit not carried out by the Commission available to the Commission;
|
|
| |
(d) to bear the costs of an audit under paragraph (c).
|
|
| |
(3) Where the Commission serves a direction on a provider under subsection (2) requiring the provider to submit to a security audit, the Commission may appoint such member of the staff of the Commission or such other suitably qualified independent person as the Commission considers appropriate, (referred to in this section as a “security auditor”) to carry out the security audit in accordance with the direction.
|
|
| |
(4) A security auditor shall, on his or her appointment, be provided by the Commission with a certificate of his or her appointment and when exercising a power referred to in subsection (5) shall, if requested by any person thereby affected, produce such certificate to that person for inspection.
|
|
| |
(5) Where the Commission serves a direction under subsection (2) on a provider requiring the provider to submit to a security audit a security auditor may, for the purposes of carrying out the audit, exercise any power exercisable by an authorised officer under the Principal Act (other than a power exercisable for a purpose specified in section 39(3A) of the Principal Act) and where a security auditor exercises such a power a reference to an authorised officer exercising such a power in the Principal Act shall include a reference to the security auditor.
|
|
| |
(6) A direction under subsection (2) takes effect—
|
|
| |
(a) immediately upon its service, where the Commission considers, and states in the direction, that it is necessary that the direction take effect immediately to prevent a serious imminent risk to the security of networks and services, the health or safety of persons or to property, and
|
|
| |
(b) in any other case upon the expiration of the period allowed for representations to be made under subsection (7).
|
|
| |
(7) A provider that is the subject of a direction under subsection (2) may make written representations to the Commission in respect of the direction within the period of 14 days beginning on the date on which the direction is served on the provider and the Commission shall consider any representations made to it during that period and affirm (with or without modification) or withdraw the direction.
|
|
| |
(8) Where a direction is affirmed under subsection (7), the Commission shall notify the provider concerned.
|
|
| |
(9) A provider that fails to comply with a direction under subsection (2) commits an offence and is liable on summary conviction to a class A fine.
|
