6. Obligation on providers to take measures to manage risk
(1) Providers shall take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services.
(2) Measures taken in accordance with subsection (1) shall ensure a level of security appropriate to the risk presented having regard to the state of the art.
(3) In particular, measures, including the use of encryption where appropriate, shall be taken by providers to prevent security incidents and minimise the impact of any security incident on users and on other networks and services.
(4) The Minister, having consulted with the Commission, may make regulations in relation to the types of measures to be taken by providers to manage risks in accordance with subsection (1).
(5) Regulations under subsection (4) may -
(a) contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of ensuring that risks posed to the security of networks and services are appropriately managed,