The Network and Information Systems Regulations 2018 (NIS Regulations)

Simplifying the Compliance Process with NIS 2018

Get in Touch

The Network and Information Systems Regulations 2018 (NIS Regulations) were established in the UK as part of a larger European initiative to enhance the resilience of critical infrastructure. These regulations stem from the EU’s Directive on Security of Network and Information Systems, adopted in 2016. After Brexit, the UK opted to maintain and modify this framework to uphold cyber resilience in its key sectors.

Why is NIS 2018 Needed?

The primary purpose of NIS 2018 is to enhance the overall security of network and information systems across sectors that are vital to the UK’s economy and public safety. The regulations aim to improve the protection of critical infrastructure by mandating security measures and ensuring that essential services can withstand, and quickly recover from, incidents that impact the availability, confidentiality, and integrity of their IT systems.

Who Does NIS 2018 Apply To?

Operators of Essential Services (OES)

Regulation 1 of NIS defines an essential service as one crucial for maintaining critical societal or economic activities, such as water, energy, transport, healthcare, and digital infrastructure.
An OES is an organisation providing such a service.

  • The service provision depends on network and information systems; and
  • Any incident would have ‘significant disruptive effects’ on that service

Relevant Digital Service Providers (RDSP)

If your organisation offers specific types of digital services, you are classified as a (DSP).
However, not all digital services fall under the NIS regulations. To be covered, your digital service must be one or more of the following:

  • An online marketplace
  • An online search engine
  • A cloud computing service

Exception for Micro or Small Enterprises

The NIS regulations do not apply to micro or small enterprises.
These are defined as businesses that employ fewer than 50 people and have an annual turnover or balance sheet total not exceeding €10 million.

Enforcement and Consequences of Non-Compliance

Competent Authorities

Each sector covered by the NIS regulations has a designated competent authority responsible for overseeing compliance. These authorities are sector specific regulators who have the power to monitor, audit, and enforce the regulations. They can issue penalties and require remedial actions in cases of non-compliance. The competent authorities play a critical role in ensuring that both OES and RDSPs meet their obligations under the NIS framework.

The Role of the Information Commissioner’s Office (ICO)

The Information Commissioner’s Office (ICO) serves as the competent authority for RDSPs. The ICO’s role involves regulating and enforcing the security measures that RDSPs must implement, as well as overseeing the reporting of significant incidents. Failure to comply with the NIS Regulations can lead to substantial fines and other enforcement actions by the ICO.

Fines for Non-Compliance

Fines under the NIS Regulations can be substantial. The level of fines is determined by the competent authorities (sector specific regulators for OES and the ICO for RDSPs), which will consider the nature, severity, and duration of the non-compliance. Fines can reach up to £17 million or 4% of the organisation’s global annual turnover, whichever is higher. The specific fine amount will depend on factors such as the degree of negligence, the impact of the incident on the provision of essential services, and the effectiveness of the organisation’s response.

NCSC Cyber Assessment Framework (CAF)

The National Cyber Security Centre (NCSC) has developed the cyber assessment framework (CAF) as a tool to help organisations assess their compliance with the NIS Regulations. The CAF is structured around four main objectives, each focusing on a critical area of cyber security. These objectives provide a comprehensive approach to assessing and enhancing an organisation’s resilience against cyber threats.

Main objectives of the CAF

  1. Objective A: Managing security risk

    2. This objective focuses on establishing and maintaining an effective governance structure for managing cyber security risks. It includes setting up policies, assigning responsibilities, and ensuring that risk management processes are embedded throughout the organisation.

  2. Objective B: Protecting against cyber attacks

    3. Organisations must implement appropriate and proportionate security measures to protect their systems and networks from cyber attacks. This includes technical controls, physical security measures, and procedures to detect and respond to potential threats.

  3. Objective C: Detecting cyber security events

    4. The ability to detect incidents quickly and accurately is crucial. This objective covers the deployment of monitoring systems, maintaining situational awareness, and ensuring that the organisation can identify and respond to security events in a timely manner.

  4. Objective D: Minimising the impact of incidents

    5. This objective emphasises the importance of having robust incident response and recovery plans in place. Organisations need to be prepared to manage and mitigate the impact of incidents, ensuring that critical services can continue to operate or be restored swiftly.

How Can We Help?

To support the achievement of the CAF objectives, we deliver a range of services:

managing security risk

Managing Security Risk:

  • NIS 2018 gap analysis and current state assessment
  • Cyber security risk assessment and management
  • ISMS development
  • Security policy development
  • Supply chain reviews
cyber attack protection

Protecting Against Cyber Attacks

cyber attack detection

Detecting Cyber Security Events

impact of incidents

Minimising the Impact of Incidents:

Your Roadmap to NIS Compliance

To achieve compliance with the NIS 2018, organisations need a strategic roadmap that addresses its core requirements. This roadmap offers a structured approach to aligning with the NCSC Cyber Assessment Framework (CAF) and fulfilling the NIS regulations’ specific obligations. By following these essential steps, you can effectively manage cyber risks, strengthen your security posture, and ensure continuity amid evolving cyber threats.

  1. Conduct a Current State Assessment and Gap Analysis
  2. Develop a Compliance Strategy
  3. Align Risk Management Frameworks with NCSC CAF
  4. Implement Security Controls to Protect Against Cyber Attacks
  5. Enhance Incident Detection and Response Capabilities
  6. Test and Validate Operational Resilience
  7. Manage Third-Party Dependencies and Risks
  8. Establish Continuous Monitoring and Improvement Processes

Learn More