Share

European Union

Government Structure

Do they designate a lead cyber security agency within the government? Each Member State can designate one of more national authority responsible for cybersecurity, choosing either a centralised or decentralised model. More information about national competent authorities is available here. https://ec.europa.eu/digital-single-market/en/state-play-transposition-nis-directive

European institution and bodies (notably the Commission, European Union Agency for Cybersecurity and the CERT of EU institutions and bodies, CERT-EU) are part of the cybersecurity cooperation fora established by Directive (i.e. the Cooperation Group gathering national competent authorities and the Network of Computer Security Incident Response Teams, CSIRTs).

The Commission is the secretariat of the Cooperation Group and observer in the CSIRTs Network.

ENISA is a member of the Cooperation Group and the secretariat of the CSRTs Network.

CERT-EU is a member of the CSIRTs Network. ​

Is oversight provided on a centralized or sectoral basis?​ Depending on the national supervision model chosen by a Member State, oversight may be provided on a centralised or sectoral basis.

Different supervision regimes apply to operators of essential services ("OES") and digital service providers ("DSP"). OES provide services "essential for the maintenance of critical societal and/or economic activities" that "depend[] on network and information systems[.]" and are subject to the supervision of all the Member States in which they provide a service. OES include providers in 7 sectors (i.e. energy, transport, financial market infrastructure, banking, health, drinking water management and digital infrastructure) DSPs include providers of online marketplaces, search engines, and cloud computing. See Council Directive 2016/1148, arts. 4-5, 2016 O.J. (L 194) 1, 1 ("NIS Directive"). And are subject to the supervision of one Member State for all their activities within the Union. ​

Designation of Critical Infrastructure​​

Which sectors do they designate as critical information infrastructure?​ Directive (EU) 2016/1148 refers to Operators of Essential Service. Such term broadly corresponds to what is typically understood as a critical infrastructure. It indicates entities, either public of private, relying on network and information systems when providing services which ensure the correct functioning of the economy and society.

7 Baseline Sectors: Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water Supply and Distribution, and Digital Infrastructure. N.B. Member States can identify additional sectors in their transposition legislation.​

How do they designate within these sectors?​ Member States are able to designate Operators of Essential Services (OES) by following the criteria for the identification of the operators of essential services, as referred to in point (4) of Article 4, shall be as follows: (a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and (c) an incident would have significant disruptive effects on the provision of that service. [more cross-sectoral factors to be taken into account to determine what is a significant disruptive effect are listed in Article (6)(1). ​

"Member States should be responsible for determining which entities meet the criteria of operator of essential services (OES). In order to ensure a consistent approach, the definition of OES should be coherently applied by all Member States. To that end, this Directive provides for the assessment of the entities active in specific sectors and subsectors, the establishment of a list of essential services, the consideration of a common list of cross-sectoral factors to determine whether a potential incident would have a significant disruptive effect, a consultation process involving Member States in the case of entities providing services in more than one Member State, and the support of the Cooperation Group in identification." See DIRECTIVE (EU) 2016/1148

Security Measures​

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?​ Yes, but not generally applicable across the economy. The Directive on Security of Network and Information Systems ("NIS Directive") instruct EU Member States to impose requirements on both OES and DSPs. See NIS Directive, arts. 14, 16.

While security requirements for OES are defined at national level, the EU further defines in the Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 elements to be considered by DSPs when adopting security measures.

Does it take a risk-based approach?​ Yes. The NIS Directive instructs Member States to ensure that OES and DSPs "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems" they use in their operations. See NIS Directive, arts. 14, 16.​

Do the security measures enable the use of international standards?​ Yes. The NIS Directive provides that risk management measures for DSPs should take into account, inter alia, "compliance with international standards." NIS Directive, art. 16,

Member States are also directed to "encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems." Id., art. 19. Finally, the EU Cybersecurity Act specifies that "[a] European cybersecurity certification scheme shall include . . . references to the international, European or national standards applied in the evaluation [if applicable] . . . [and] the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels[.]" Council Regulation 2019/881, art. 54, 2019 O.J. (L 151) 15.​

Are security measures NIST CSF compatible? (Possible to comply through this approach?) Generally, yes. The NIS Directive does not mention the NIST CSF, but refers generally to risk management measures, such as the ones expressed in the NIST CSF, irrespective of specific international standards or frameworks.

Some Member States have used the NIST CSF as a point of reference for the development of national cybersecurity frameworks that OES should adhere to when complying with the NIS Directive. The Cooperation Group has further specified security measures (CG Publication 01/2018 - Reference document on security measures for Operators of Essential Services) to implement in order to comply with the Directive. Furthermore, ENISA has mapped the measures identified against the NIST CSF https://www.enisa.europa.eu/topics/nis-directive/minimum-security-measures-for-operators-of-essentials-services

Do they include prescriptive or technology-based security measures?​ Generally, no. The NIS Directive does not include prescriptive or technology-based security measures. While Member States have latitude to impose "technical . . . measures," they have generally aligned themselves with outcome-based frameworks like the NIST CSF or the ISO 27000 series of standards, as noted above. ​

Incident Reporting​

Are there mandatory incident reporting requirements?​ Yes. The NIS Directive directs member states to ensure that both OES and DSPs "notify the competent authority or the [Computer Security Incident Response Team, or CSIRT] . . . of any incident . . ." See NIS Directive, arts. 14, 16.​

Are there clear thresholds above which an incident should be reported?​ Yes. OES should report an incident that has a "significant impact on the continuity of the essential services they provide." NIS Directive, art. 14. DSPs should report an incident "having a substantial impact on the provision of" their service." Id., art. 16.

To determine incident reporting thresholds for OES at national level, Member States should consider number of users effected, duration of the incident and the geographical area affected by the incident. Id., arts. 14, 16.

EU level incident reporting thresholds have been established for DSPs through Article 4 to the Commission Implementing Regulation (EU) 2018/151 of 30 January 2018.

should also consider the extent of the disruption of the functioning of the service and the extent of the impact on economic and societal activities. Id., art. 16.​

How do they determine the timeline within which an incident must be reported?​ The NIS Directive instructs member states to ensure that incidents meeting the above criteria are reported "without undue delay[.]" See NIS Directive, arts. 14, 16.​

Threat Information Sharing​

Has the EU they established structures allowing for sharing threat information?​ Yes. There are dedicated structures, established under the NIS Directive, allowing for the sharing of information about threats, risks and incidents between EU Member States both at technical and strategic level.

At technical level, Member States exchange information about threats and incidents through the Network of national Computer Security Emergency Response Teams. At policy level, the NIS Cooperation Group "ensure[s] strategic cooperation and the exchange of information among EU Member States in cybersecurity," as well as to collect " best practice information on risks and incidents[.]" See NIS Directive, art. 11; NIS Cooperation Group, European Commission (Nov. 5, 2019).

The Directive serves as a basis for a more structured sharing of information about threats between public and private entities. In order to facilitate such exchange, some Member States have put in place measures incentivising the voluntary sharing of information, such as coordinated vulnerability disclosure schemes (see the Dutch example https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guideline) or Information Sharing and Analysis Centre (ISACs). ISACs are present also at EU level, such as the European Energy ISAC (https://www.ee-isac.eu/

Does this entity share information out to industry, as well as receiving information?​ Yes. The NIS Cooperation Group has published eight working documents, which include recommendations to the national competent authorities. These may be considered as tips for industry, such as CG Publication 01/2018 - Reference document on security measures for Operators of Essential Services. See NIS Cooperation Group, European Commission (Nov. 5, 2019). ​

Is threat information sharing mandatory for any private sector entity?​ No, not to the NIS Cooperation Group. However, Member states are instructed by the NIS Directive to "ensure that the[ir] competent authorities have the powers and means to require [OES and DSPs] to provide . . . the information necessary to assess the security of their network and information systems, including documented security policies . . . [or OES to] evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority." See NIS Directive, arts. 15, 17.

Furthermore, the Directive requires Member States to have voluntary notification mechanisms in place allowing operators to share information with the national authorities.

Government Access Requirements​

Are there requirements to provide government officials physical access to facilities?​ Generally yes. The supervisory powers granted by the NIS Directive to Member States give the faculty to national authorities to have access to operators’ facilities for the purpose of inspections and audits.

Are there requirements to cede control of facilities in an emergency situation?​ No. Not at the EU-level, but Member states may allow such a policy at the national level. See, e.g., Anna Khakee, Securing Democracy? A Comparative Analysis of Emergency Powers in Europe, Geneva Centre for the Democratic Control of Armed Forces, at 29 (2009),

("[The Swiss Government has deliberately chosen not to adopt any written rules, constitutional or otherwise, for emergencies so as not to hamper the executive in its handling of the crisis. Rather,
it relies on an extra-constitutional and un-codified 'doctrine of necessity', which stipulates that, in a severe emergency, the government may seize almost total power, leaving the parliament virtually toothless.").​

Are there requirements to provide source code or other decryption capabilities?​ No. Again, however, it's conceivable that a Member State could impose such a requirement based on the authority granted by the NIS Directive.​

Localization Requirements​

Are there requirements to establish a local presence - either officer or personnel?​ Yes. "A [DSP] that is not established in the Union, but offers [digital] services . . . within the Union, shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered." NIS Directive, art. 18.​

Are there requirements to localize data? There are no data localisation requirements. The EU data protection rules combine a high level of protection of personal data with the rules on free movement of personal data. This means that any processing of personal data, including their transfer needs to be compliant with the General Data Protection Regulation. ​

Penalties​

Are there financial penalties outlined? If so, what for and what is the maximum penalty?​ Member States are given discretion to determine their own penalties. Most Member States have included provisions for financial penalties in their transposition legislation.​

"Member States shall lay down the rules on penalties applicable to infringements of national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive." See NIS Directive, art. 21.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?​ Unclear: Member States are given discretion to determine their own penalties. Most Member States have not included provisions for criminal penalties in their transposition legislation. See cite.​

Effective Dates​

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?​ The NIS Directive entered into force in August 2016, and individual countries were required to implement the NIS Directive by May 9, 2018.

See Questions and Answers: Directive on Security of Network and Information systems, the first EU-wide legislation on cybersecurity, European Commission (Oct. 28, 2019).

The EU Cybersecurity Act entered into force on June 27, 2019. The EU Cybersecurity Act brings a strong agency for cybersecurity and EU-wide rules on cybersecurity certification, European Commission (June 26, 2019). The GDPR entered into force on May 24, 2016 and became binding on May 25, 2018. Data protection in the EU, European Commission, (last visited Dec. 29, 2019).

France

Government Structure

Do they designate a lead cyber security agency within the government? Yes. The French Network and Information Security Agency (ANSSI) (Agence Nationale de la Sécurité des Systèmes d'Information).

Is oversight provided on a centralized or sectoral basis? Both. ANSSI sets technical and organizational rules that are "mostly basic cyber hygiene measures and common to all sectors." However, there are additional sector-specific safety and incident notification requirements. See The French CIIP Framework, ANSSI.

Designation of Critical Infrastructure​

Which sectors do they designate as critical information infrastructure? 12 Sectors. Food, Water Management, Health, State Civil Activities, Judicial Activities, Military Activities, Energy, Finance, Transportation, Electronic, Telecom and Broadcasating, Industry, and Space and Research. See La Securite Des Activites D’importance Vitale, SGDSN.

How do they designate within these sectors? The law designates by subsector and "type of operators" within those subsectors. (i.e. Sector: Energy; Subsector: Electricity; Type of Operators: Supply Chain Companies, Distribution Network Managers, and Transmission System Operators). See Annex, Decree No. 2018-384 of 23 May 2018.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. ANSSI has established technical and organizational rules that are "[c]ross-sectoral [and] are mainly composed of basic cyber measures and fall within 20 categories including network mapping, network segmentation, implementation of trusted detection capabilities, accreditation, etc." See The French CIIP Framework, ANSSI.

Does it take a risk-based approach? Yes. Operators are only subject to the rules where "networks and information systems are necessary to the provision of [an essential] service and that an incident affecting these networks and systems would have serious consequences on the provision of this service," assessed according to several criteria, including the number of users depending on the service, and whether other essential designated sectorsdepend on that activity." See Article 2, Decree No. 2018-384.

Do the security measures enable the use of international standards? Article 12 of Law No. 2018-133 of February 26, 2018, which contains various provisions for adaptation to European Union law in the field of security, states that digital service providers (DSP's) must take "respect of international standards" into account when identifying and addressing risks that threaten the security of their networks and information systems. See Article 12, Law No. 2018-133 of February 26, 2018.

Are security measures NIST CSF compatible? (Possible to comply through this approach?) The French framework requires more than what is required by NIST CSF.

Do they include prescriptive or technology-based security measures? No.

Incident Reporting

Are there mandatory incident reporting requirements? Yes. Operators must report incidents to the ANSSI. See Article 11, Decree No. 2018-384.

Are there clear thresholds above which an incident should be reported? It depends on the sector. See The French Cyber Security Framework , FAQ, How Does Security Incident Notification Work Within the Framework of the CIIP Law?, (last accessed Jan. 1, 2020).

How do they determine the timeline within which an incident must be reported? An operator must report any incidents "as soon as they become aware of them." See Article 11, Decree No. 2018-384.

Threat Information Sharing

Have they established a national threat information sharing entity? The Information Systems Security Operational Center (COSSI) is responsible for "acquir[ing], develop[ing], capitaliz[ing] and shar[ing] knowledge of the cyber threat as well as the vulnerabilities of the digital systems that the agency defends..." See Operations Branch (SDO), ANSSI.

Does this entity share information out to industry, as well as receiving information? Yes. See Operations Branch (SDO), ANSSI.

Is threat information sharing mandatory for any private sector entity? Yes. See Article 11, Decree No. 2018-384.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities? Yes. The Prime Minister, after consulting the ministers concerned, may impose one control per calendar year on a network or information system (unless they note a security incident or vulnerability during the check, in which case there may be more checks.) See Article 13, Decree No. 2018-384.

Are there requirements to cede control of facilities in an emergency situation? No.

Are there requirements to provide source code or other decryption capabilities? Yes, in certain circumstances. Article L.871-1 of the French Internal Security Code enables administrative and judicial authorities to require natural or legal persons providing encryption services aimed at ensuring a confidentiality function to submit within 72 hours an agreement enabling the decryption of data transformed by means of the services they have provided. See Frederic Lecomte and Melina Charlot, France: Cybersecurity 2020, ICLG (Oct. 22, 2019).

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel? Yes, pursuant to Art. 18 of the NIS directive. See Article 9, Decree No. 2018-384.

Are there requirements to localize data? No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty? A fine of € 100 000 is imposed on operators for failing to comply with the security rules referred to in Article 6. A fine of € 50,000 is imposed for the same persons not to comply with the obligation to report an incident or information. Obstruction of the inspections of the national security authority is punishable by a fine of €100 000.

See Article 15, Law No. 2018-133 of February 26, 2018.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty? No.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? Law No. 2018-133 was enacted on February 26, 2018. Decree n ° 2018-384 was enacted on May 23, 2018.

Netherlands

Government Structure

Do they designate a lead cyber security agency within the government? Yes. The National Cyber Security Centre, under the authority of the National Coordinator for Counterterrorism and Security, oversees digital security in the Netherlands.

Is oversight provided on a centralized or sectoral basis? Both. The Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, "NISS Act") requires providers of essential services and digital service providers to take appropriate technical and organisational measures to manage security risks to their networks and information systems. There are also sector-specific regulations.

See Shima Abbady & Berend van der Eijk, Stricter enforcement of cybersecurity rules to be expected in the Netherlands, Lexology (Oct. 7, 2019).

Designation of Critical Infrastructure​

Which sectors do they designate as critical information infrastructure? Category A: National transportation/distribution of electricity, natural gas production, oil supplies, storage/production/processing of nuclear materials, drinking water supplies, & water management.

Category B (lower thresholds in terms of economic impact, physical impact, and societal impact): Regional distribution of electricity and gas, flight/airplane management, maritime and inland shipping management, large scale storage, production, or processing of petrochemical resources, financial sector, communication with/between emergency services, police mobilization, government services that depend on reliable, available digital information and data systems.

Securing Critical Infrastructures in the Netherlands, The Hague Security Delta, at 9 (2015).

How do they designate within these sectors? Under the direction of the NCTV, the Dutch ministries will review which critical components require protection and will examine whether organizations are sufficiently aware of vulnerabilities. See Government of Netherlands: Structural improvement in digital resilience (June 12, 2019).

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. The 2018 National Cyber Security Agenda set forward seven objectives and necessary measures to accomplish these objectives. Among these measures include mandatory cyber threat/incident reporting (notification) as well as requiring critical processes to develop their capacity to withstand cyber-attacks (duty of care).

See Ferd Grapperhaus, Minister of Justice and Security, National Cyber Security Agenda: A cyber secure Netherlands (April 20, 2018).

Does it take a risk-based approach? Yes. See Nicolas Castellon and Erik Frinking, Securing Critical Infrastructures in the Netherlands: Towards a National Testbed, The Hague Security Delta.

Do the security measures enable the use of international standards? Unclear from available resouces.

Are security measures NIST CSF compatible? (Possible to comply through this approach?) NIST has not identified Netherlands as a compatible jurisdiction. See International Resources, Adaptations, NIST.

Do they include prescriptive or technology-based security measures? No.

Incident Reporting

Are there mandatory incident reporting requirements? Yes. Incidents must first be reported to the Computer Security Incident Response Team (CSIRT). For critical providers, this means the National Cyber Security Centre within the Ministry of Justice and Security. Digital service providers report incidents to the CSIRT for digital services provided to the Ministry of Economic Affairs and Climate Policy. In addition, providers of essential services and digital service providers must also report these incidents to their sectoral supervisory body.

See Ministry of Justice and Security, National Coordinator for Security and Counterterrorism, Cyber Security Assessment Netherland 2019.

Are there clear thresholds above which an incident should be reported? Providers of essential services, others designated as critical providers by administrative order, and digital service providers are subject to a notification obligation in the event of incidents that could have substantial consequences. An incident is defined as any event that has a damaging effect on the security of the network systems and information systems used for the purposes of the services in question.

See Ministry of Justice and Security, National Coordinator for Security and Counterterrorism, Cyber Security Assessment Netherland 2019.

How do they determine the timeline within which an incident must be reported? Unclear from available resources.​

Threat Information Sharing

Have they established a national threat information sharing entity? Yes. The National Cyber Security Centre, the agency tasked with overseeing digital security in the Netherlands, alerts public authorities and organizations of potential threats and advises both on how to protect themselves from online threats. GOVERNMENT OF NETHERLANDS, Fighting Cybercrime in the Netherlands.

Does this entity share information out to industry, as well as receiving information? Yes. The National Cyber Security Centre alerts public authorities and organizations of potential threats and advises both on how to protect themselves from online threats.

Is threat information sharing mandatory for any private sector entity? Yes. Providers of essential services, others designated as critical providers by administrative order, and digital service providers are subject to a notification obligation in the event of incidents that could have substantial consequences.

See Ministry of Justice and Security, National Coordinator for Security and Counterterrorism, Cyber Security Assessment Netherland 2019.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities? The Computer Crime Act, which went into effect on March 2019, gives public authorities the power to access computers covertly to investigate serious crimes (child pornography, drug trafficking and targeted shootings). Jurisdiction would extend to personal computers, mobile phones and servers. In addition, the Act gives investigating officers the power to apply various investigative tactics, such as making certain data inaccessible, copying files and tapping communication channels.

See Government of Netherlands, New law to help fight computer crime.

Are there requirements to cede control of facilities in an emergency situation? See above.

Are there requirements to provide source code or other decryption capabilities? The Dutch Code of Criminal Procedure states that in cases involving serious offenses like terrorism, the public prosecutor can require a person “reasonably presumed to have knowledge of the manner of encryption of the communications . . . to assist in decrypting the data." See Daniel Severson, The Encryption Debate in Europe, Hoover Institution (2017).

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel? Unclear from available resources.

Are there requirements to localize data? Not other than the GDPR.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty? Unclear from available resources.​

Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Netherlands has criminal penalties for the following cyber activities: hacking, illegal interception, data interference, system interference, misuse of devices, computer fraud, computer forgery, data theft, identity theft, grooming (prepping minors for sexual abuse), child pornography, racism, violation of copyright, violation of privacy. While the majority of these offenses carry punishment of two to four years in prison, some of these would allow for an eight-year maximum sentence. B. J. Koops, Cybercrime Legislation in the Netherlands, Electronic Journal of Comparative Law (December 2010).

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Cyber Security Assessment was published on September 13, 2019.

United Kingdom

Government Structure

Do they designate a lead cyber security agency within the government? Yes. The National Cyber Security Centre (NCSC).

Is oversight provided on a centralized or sectoral basis? Oversight of each CII sector will be provided by their traditional regulator(s). See The Network and Information Systems Regulations (NISR), 2018 No. 506 (Schedule 1 and 2)

Designation of Critical Infrastructure​

Which sectors do they designate as critical information infrastructure? 13 Sectors: Chemicals, Civil Nuclear Comms, Defense, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. See Critical National Infrastructure, Centre for the Protection of National Infrastructure (last visited Jan. 1, 2020).

How do they designate within these sectors? Thresholds. Each sector has its own threshold for determining critical assets. For energy it's any supplier that has 250,000 customers. For financial services, it's large banks and payment systems. See NISR, Schedule 2)

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. At the national level for CNI, at the EU level for DSPs.

Does it take a risk-based approach? Yes. An OES/CNI should identify and take appropriate and proportionate measure to manage the risks posed to the security of network and information systems.

Do the security measures enable the use of international standards? Yes.

Are security measures NIST CSF compatible? (Possible to comply through this approach?) Yes. In fact, NIST lists the UK's NIS Guidance Collection under "Framework Adoptions" and "International Resources" on their website.

Do they include prescriptive or technology-based security measures? No. See NCSC Cyber Assessment Framework (CAF) (last accessed January 1, 2020).

Incident Reporting

Are there mandatory incident reporting requirements? Yes. See NISR Regulation 11 and Regulation 12.

Are there clear thresholds above which an incident should be reported? Yes. An incident that has a "significant impact on the continuity of essential service" should be reported. To determine significant, the OES should consider the number of users effected, duration of the incident and the geographical area affected by the incident. See NISR Regulation 11(1)-(2).

How do they determine the timeline within which an incident must be reported? It depends on the sector. Many sectors do not have a reporting requirement other than for breaches of personal information.

Threat Information Sharing

Have they established a national threat information sharing entity? Yes, the Cybersecurity and Infrastructure Security Agency's (CISA) is a joint industry and government initiative set-up to exchange cyber threat information in real time.

Does this entity share information out to industry, as well as receiving information? Yes. NCSC has the Industry 100 group that brings together public and private sector to identify vulnerabilities and reduce attacks.

Is threat information sharing mandatory for any private sector entity? No. See NISR Regulation 6.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities? Yes. An OES must allow their authority to conduct an inspection. See NISR, Regulation 16.

Are there requirements to cede control of facilities in an emergency situation? No. See Regulation 16.

Are there requirements to provide source code or other decryption capabilities? No. See Regulation 16.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel? No.

Are there requirements to localize data? No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes. There are four levels of financial penalties depending on the nature of the material contravention. The highest fine is up to 17,000,000 pounds for an incident that could result in a threat to life or significant adverse impact on the UK economy. See NISR, Regulation 18.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty? No. The penalty enforcer does have criminal prosecution powers. See NISR, Regulation 18.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Network and Information Systems Regulations (NISR) went into effect on May 10, 2018.