Skip to main content
Version status: In force | Document consolidation status: No known changes
Version date: 18 September 2018 - onwards

Regulation 21 Security measures to be taken by relevant digital service providers

(1) A relevant digital service provider shall identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems used by it when offering a service set out in Schedule 2 in the Union.

(2) The measures to be taken under paragraph (1) shall, having regard to the state of the art -

(a) ensure a level of security of network and information systems appropriate to the risk posed, and

(b) take into account the following in accordance with the Implementing Regulation:

(i) the security of systems and facilities;

(ii) incident handling;

(iii) business continuity management;

(iv) monitoring, auditing and testing;

(v) compliance with international standards.