The Network and Information Systems (NIS) Regulations 2018
The Security of Network and Information Systems (NIS) Directive provides legal measures to protect essential services and infrastructure by improving the security of their Network and Information Systems. The UK is implementing the requirements of the NIS Directive through the NIS Regulations 2018, which came into effect on 10 May 2018.
The NIS Directive specifies the types of entities that all Member States should consider for inclusion. In the UK, designation of organisations as operators of essential services (OES) will be achieved through setting thresholds in legislation relating to the scale of an organisation’s operations. These thresholds have been defined based on the level of societal or economic impact which could result from disruption to the services those entities provide. Organisations that meet those thresholds will automatically be designated as OES when the regulations come into force.
Oversight and enforcement of the NIS Regulations is the responsibility of the designated Competent Authority (CA). CA’s have the sole authority and responsibility for all regulatory decisions in relation to the NIS Regulations.
Whilst the Secretary of State (for England) and the Welsh Government (for Wales) are the designated competent authorities for the water sector, operational responsibilities of the competent authority function have been conferred to the DWI.
CA’s will be supported by the National Cyber Security Centre (NCSC) who will offer technical support to Competent Authorities when required, and who will undertake the duties of the Single Point of Contact (SPOC) and the Computer Security Incident Response Team (CSIRT).
To ensure the sector is complying with the NIS Regulations from the 10 May, DWI has published its Day 1 Guidance (PDF 460KB) which outlines the implementation of the Regulations, the incident reporting thresholds and the process to notify a NIS incident. It also outlines the expectations of compliance with the Regulations within the first year.
DWI will issue further Guidance documents on NIS Roles and Responsibilities, Incident Reporting, Inspections, Enforcement, and Response to Non-Cyber Incidents over the course of the year, with a completed set of Guidance Documents available by Nov 2018.
Page reviewed: 9 May 2018
Page modified: 9 May 2018