Regulation 27 Security assessment
(a) The competent authority referred to in Regulation 7(1) may, in relation to those sectors in respect of which it is designated as the competent authority, carry out an assessment, whether by means of a security audit or otherwise, of the compliance by an operator of essential services with its obligations under Regulations 17 and 18 and for that purpose may appoint an independent person or auditor to carry out the assessment on its behalf.
(b) The competent authority referred to in Regulation 8 may, in relation to a relevant digital service provider, carry out an assessment, whether by means of a security audit or otherwise, of the compliance by a relevant digital service provider with its obligations under Regulations 21 and 22 and for that purpose may appoint an independent person or auditor to carry out the assessment on its behalf.
(2) A competent authority referred to in paragraph (1) may request an operator of essential services or a relevant digital service provider, as the case may be, to provide the competent authority with -