Mr. Richard Browne:

Precisely. The Chairman said it himself. In the first instance, the responsibility for the security of these companies' systems and data is with them. The companies are responsible for their own systems with regard to the general data protection regulation, GDPR, and network and information security, NIS. Our only responsibility with regard to DSPs particularly is post hoc- after the fact. The directive is explicit that we cannot ex ante audit or assess anybody. There has to have been an incident. Our role is literally to go in and assess. In the regulations we have given ourselves express powers to do exactly that and to issue notices and compliance notices. We have also given ourselves powers and are in the process of procuring external auditors to conduct audits on our behalf in those companies. We are ready now to do assessments if we need to but we will have consultancy firms on hand very shortly to step in and engage with the companies directly on our behalf.