Enforcement Policy – Network and Information Systems
1. Introduction
In 2018, the Network and Information Systems Regulations 2018 (“the NIS Regulations”) came into UK law. The NIS Regulations identify the supply of potable water as the essential service for the subsector of Drinking Water Supply and Distribution. The regulations designated the Secretary of State for Environment, Food and Rural Affairs and the Welsh Ministers as the Competent Authorities for England and Wales respectively. The Drinking Water Inspectorate (“the Inspectorate”) has been nominated to exercise the operational function and regulatory activity of the Competent Authority (“CA”) for England and Wales.
The NIS Regulations outline that in the UK, the threshold for being designated an Operator of Essential Services (OES) in the water sector is the supply of drinking water to 200,000 or more people. The Department of Food and Rural Affairs (Defra) and Welsh Government can still designate an OES if numbers supplied are under 200,000 people, where an operator provides an essential service listed in Schedule 2, network and information systems are utilised to run the essential service and where the CA deem an incident affecting the provision of the essential service is likely to have significant disruptive effect on the essential service. The NIS Regulations require that an OES takes appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service depends.
This Enforcement Policy document sets out the general principles we follow in relation to our powers of enforcement under the NIS Regulations. It also takes account of our strategic objectives[1] which are available on our website. In writing this policy, we have had regard to the Guidance for Competent Authorities, published by the Department for Science, Innovation and Technology (formerly the Department for Digital, Culture and sport)[2]
This policy will be kept under review and updated to reflect changes in law, policy, better regulation and learning from its implementation.
In conjunction with this policy, we also publish information, guidance, protocols and tools on our website[3] to help those we regulate with any submission to us and to understand compliance.
2. Better Regulation
We consider that the best way to ensure that water companies comply with their legal and regulatory requirements is through guidance and advice, ensuring that those carrying out regulated activities understand the nature and extent of their responsibilities and comply voluntarily.
However, there are times when compliance needs to be secured through enforcement action. Formal enforcement is about securing compliance with regulatory requirements. To this end there is a spectrum of civil sanctions available to us, these include:
- statutory notices requiring or prohibiting companies to take certain steps;
- statutory notices requiring the provision of specified information, and;
- financial penalties.
This policy sets out how we determine the most appropriate choice of sanction in any case. In determining this, we will ensure that we have regard to relevant regulatory duties and guidance, which include:
- The Legislative and Regulatory Reform Act 2006[4] (as amended) and the Legislative and Regulatory Reform (Regulatory Functions) Order 2007 (as amended)[5]. These pieces of legislation require that regulatory functions (including enforcement) are carried out in a way which complies with the principles of transparency, accountability, proportionality and consistency, and will only be used in cases where action is needed.
- The Regulators’ Code[6] sets out that regulators should:
- carry out their activities in a way that supports those they regulate to comply and grow;
- provide simple and straightforward ways to engage with those they regulate and hear their views;
- adopt a risk-based approach to regulatory activity;
- share information about compliance and risk;
- ensure clear information, guidance and advice is available to help those they regulate to meet their regulatory duties; and
- ensure their approach to regulatory activities are transparent.
- The government’s guidance under section 110(6) of the Deregulation Act 2015[7], which requires that regulators consider the importance for the promotion of economic growth of exercising the regulatory function in a way which ensures that regulatory action is taken only when it is needed, and any action taken is proportionate. This duty does not apply to decisions as to whether to institute or conduct criminal or civil proceedings.
The effective use of enforcement powers is important to secure compliance with the law and, where necessary, to ensure that those who have not complied are held to account. Enforcing authorities need to maintain a balance between enforcement and advisory activities when allocating resources.
In situations where a course of conduct could be investigated and sanctioned by more than one investigative or enforcement authority, we will coordinate with these authorities from the earliest possible stage. Where appropriate, we may combine our enforcement action with other authorities so that only one investigation and prosecution will take place, with one authority acting as the lead coordinator. Where this is not possible, we will coordinate with the other authorities to ensure that the public can have confidence in the outcome of each case and the law is enforced in a fair and effective way.
Whenever possible we will work with other regulators and authorities to amplify the positive impact of enforcement action. This includes establishing and keeping up-to-date relevant Memoranda of Understanding with other regulators and authorities as appropriate.
To this end, the Inspectorate may share information with other NIS enforcement authorities, law enforcement authorities, the computer security incident response team (“CSIRT”) the National Cyber Security Centre (NCSC) and relevant public authorities in the UK. This will only occur should it be necessary to allow facilitation of the functions of a NIS enforcement authority, for national security purposes or for purposes relating to preventing or detecting crime, the investigation of an offence or for the investigation of the conduct of a prosecution. Only information which is relevant and proportionate to the above situations will be shared. Information shared is bound to the same strict information handling policy as deemed by its classification and will not be shared further, unless deemed appropriate by the Inspectorate.
When sharing information with a public authority , confidential information and information which could prejudice the security or commercial interests of an OES will not be shared.
Our complaints procedure[8], which is available on our website, can be followed for any complaints relating to our enforcement activities.
3. Principles of enforcement
Having regard for the legislation and guidance set out above, we adopt the enforcement principles set out in the following sections.
3.1 Accountability
We must be able to justify decisions made within the context of the regulatory framework within which we operate. The NIS Regulations describe the Competent Authorities’ duties, which include the duty to enforce in specified circumstances. We will explain the reasoning behind any enforcement action we have taken, or propose to take, to the relevant parties concerned.
Unlike our drinking water quality enforcement, details of NIS enforcement action we have undertaken is not published on our website, as we consider that would pose a risk to security. However, all enforcement served on an OES will be shared directly with them via a secure platform.
3.2 Proportionality
Proportionality in securing compliance with the NIS Regulations will generally involve taking account of the degree of the risk of adverse consequences resulting from non-compliance. The type and nature of enforcement will also take account of the OES’ history of compliance with its legal and regulatory obligations and past performance. We may be required to adopt precautionary measures (such as enforcement), in which case our decisions will be guided by the best available evidence as to the likelihood and the severity of the realisation of those risks in the relatively near future.
3.3 Consistency
To remain consistent, we shall apply a similar approach in similar cases, to achieve similar outcomes. There remains a degree of discretion, to account for wider factors such as the attitude and level of competence of the OES in bringing about the outcome sought.
The Inspectorate’s enforcement team operates nationally across England and Wales, and across the three disciplines of NIS, SEMD and drinking water quality. They maintain an overview of all of our enforcement action. The final decision on whether enforcement action should be pursued or not, is made by the Principal Inspector for Enforcement (or nominated representative), the Principal Inspector for NIS, the Deputy Chief Inspectors or the Chief Inspector. This ensures consistency in our approach.
3.4 Transparency
To be transparent with those we regulate, we shall:
- Help them understand what is required to comply with the law.
- Set out what they may expect from us in return.
- Clearly outline why we have taken or intend to take enforcement action.
- Make clear what breach or offence we consider is being or has been committed.
- Provide details of any rights of appeal or opportunity to make representations or objections.
We promote a culture of openness and honesty both within our own organisation and in our interactions with those we regulate. We expect those we regulate to mirror this culture of openness and honesty in their interactions with us.
3.5 Targeting
Targeting enforcement action means prioritising and directing regulatory effort effectively where it can have the most beneficial impact. This means concentrating on the activities that create or could create the most significant risk, either because the nature of the activity is inherently high-risk or because of a lack of appropriate controls or appropriate attitude of the OES. Additionally, this involves identifying and focusing on evidence of systemic risk or behaviour not conducive to effective risk management, including the timeliness of an OES’ response to risk and in their engagement with us.
4. Designations
The competent authority has the power to
- Under regulation 8, designate a person as an OES, including where that person does not meet the threshold requirement for the drinking water supply sector;
- Under regulation 9, revoke OES status of a person, for example should the person become outside the threshold requirement for the drinking water supply sector by demerger corporate activity or any other activity.
Whilst the Inspectorate will act in an advisory capacity, it is the Secretary of State (in England) or the Welsh Ministers (in Wales) which designate a person as an OES. It is the responsibility of OES to identify themselves to the Inspectorate where they meet the threshold for designation. OES that do not meet the threshold for designation may still be designated in cases where a security incident affecting the provision of the essential service provided by that entity would have significant disruptive effects. The Inspectorate will request representations on behalf of Defra and Welsh Government regarding the prospective OES’s circumstances before deciding on designation outcome.
5. Enforcement Options
Investigation of the circumstances or matters discovered on inspection, following an event, or identified by assessment of data or other sources of information, are vital. We will seek a resolution of matters by taking the most appropriate enforcement option, or combination of options, on a case-by-case basis and will use the graduated approach to enforcement wherever possible.
There are several enforcement options open to us; a summary of these has been provided in Table 1. The tiered enforcement options and sanctions are explained in further detail in section 6 and onwards.
Regulatory Action | Description of regulatory action | |
|---|---|---|
|
Suggestion |
Advice that can be used to secure improvements or better practices. Used where there has not been or is not likely to be a regulatory breach (or potential breach) of regulation. Suggestions are informal, and although we encourage suggestions to be considered, companies are not required to submit formal responses to any suggestions we may make. Suggestions do not become part of the enforcement record of the OES. | |
|
Recommendation |
Issued to secure required improvements to prevent a breach, prevent a potential breach or to prevent a reoccurrence of a breach of regulation. A written response to a recommendation is required from the person or company. Recommendations, and information as to whether the company has complied with them, are kept on an OES’ regulatory performance record. Failure to follow recommendations where risk has or is likely to increase may result in the escalation of our enforcement action towards civil sanctions. | |
|
Information Notice |
Information notices require the OES to provide the Inspectorate with all relevant information as set out in the notice. Generally, information will be collected through voluntarily means, but an information notice will be served where information is missing or withheld from us. The Inspectorate can also serve an information notice on an appropriate person to assess whether a person should be identified or nominated as an OES. | |
|
Enforcement Notice |
Where the risk is assessed as being high, or has been high, the immediate serving of a legal instrument could be warranted. Generally, enforcement notices encompass a set of requirements that the OES must do to mitigate a risk by a specified date. They can also include specific instructions, such as a requirement for a specific action to be completed. Failure to comply with the required steps, can result in further enforcement in the form of a financial penalty. | |
|
Penalties |
A notice of intention to impose a penalty may be issued if the Inspectorate considers that the OES has failed to take adequate steps to comply with duties set out in the NIS Regulations, as set out above and in the specific contraventions outlined further in the Penalties section below. | |
6. Recommendations and legal instruments
6.1 Recommendations
We measure water company recommendations performance based on the number of recommendations they have received from us, the type and severity of the recommendation and the quality of the company’s response to our recommendation.
6.2 Legal Instruments
The Inspectorate is granted enforcement powers in respect of breaches of the NIS Regulations that include the following types of legal instruments:
- Information notices under regulation 15 of the NIS Regulations
- Enforcement notices under regulation 17 of the NIS Regulations
We will serve legal instruments according to our assessment of the level of risk posed in the circumstances of the case. Where we do not consider there to be an immediate risk, we will write to the OES, explaining that we are minded to enforce with a legal instrument. In doing so, we shall clearly outline the legal instrument we propose to serve and the reasoning behind this. We will also stipulate the period during which representations or objections regarding the proposed enforcement may be made to us and how. In cases where there is an immediate, unmitigated risk, we will serve a legal instrument immediately, without consultation. In these situations, we will write to the OES to explain our reasoning for this.
After the period has ended, we will consider any representations or objections made (which have not been withdrawn) to determine whether we should proceed with enforcement. Where any representations or objections made show that the risk has been satisfactorily addressed, we may subsequently determine that the need for enforcement action is negated; our reasoning for doing so will be explained in writing. Where we feel the risk remains, we will serve the legal instrument and explain our reasoning for doing so in writing, when the legal instrument is served.
Failure to comply with an enforcement notice may lead to further enforcement action being taken by us, in the form of a financial penalty.
The Inspectorate’s commitment to hearing representations does not displace the statutory right of a company aggrieved by an enforcement or penalty order to make an application to the First-tier Tribunal under the legislation (see section 10 below).
7. Financial Penalties
A penalty is a punitive measure either because action has not been taken or the lack of action that led to the OES being in non-compliance is considered serious enough to require punishment.
A penalty shall be appropriate and proportionate within the prescribed limit of £17,000,000. The amount will not exceed 10 percent of the turnover of the OES and the financial burden of a penalty must not be passed on to customers (through water and sewage bills). The penalties will be paid into the relevant Consolidated Fund, this will be outlined in each case in the penalty notice.
Penalty (Maximum) | Penalty Banding Condition |
|---|---|
|
£1,000,000 |
If the contravention was deemed not a material one. |
|
£8,500,000 |
If the contravention is material, but does not meet the below band’s criteria (has, or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES). |
|
£17,000,000 |
If the material contravention has, or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES. |
Non-material contraventions include instances where an OES has failed to:
- Notify the CA under regulation 8A or 8(2);
- Comply with an information notice under regulation 15;
- Comply with a regulation 16(1)(c) direction;
- Comply with regulation 16(3) requirements
A material contravention is defined in regulation 18(7)(a) and refers to circumstances in which an OES fails to take, or adequately take, one or more of the steps required under an enforcement notice within the period stipulated in that notice to rectify a failure to:
- Fulfil the security duties under regulation 10(1) and (2);
- Notify a NIS incident under regulation 11(1);
- Comply with the notification requirements stipulated in regulation 11(3);
- Notify an incident as required by regulation 12(9).
- Comply with a duty set out in regulation 17 (3A).
The Inspectorate will determine an appropriate and proportionate penalty. We follow the methodology detailed below, which is based on existing penalty frameworks, including the Environmental Sentencing Guidelines[9]. Those guidelines have historically been used to set fines when a water supplies licensee has been convicted of an offence under the Water Industry Act 1991, the Water Supply (Water Quality) Regulations 2016 (as amended) (England) or the Water Supply (Water Quality) Regulations 2018 (Wales).
The OES may be informed of the Inspectorate’s intention to impose a penalty, in writing, in the form of a notice of intention to impose a penalty. The notice, if served, will include the reasons for imposing a penalty, detail on the penalty amount being considered and how to pay it, the date on which the intention to impose a penalty notice is given, the period within which the penalty will be required to be paid (if imposed), that the payment of a penalty notice is without prejudice to the requirements of any enforcement notice and how and when representations may be made about the content of the notice of intention to impose a penalty.
Before a notice of intention to issue a penalty is served on an OES, if the Inspectorate deems it appropriate, the OES shall be afforded the opportunity to hear and respond to the alleged breaches and the Inspectorate’s conclusions. This will usually take the form of a voluntary, recorded interview with a company director, authorised to speak on behalf of the corporate entity. A copy of any such recording will be shared with the OES. It may also be appropriate for the Inspectorate to collect statements from OES employees who were involved with or witnesses to the regulatory breach, or the impacts thereof.
The majority of OES fit into the large organisations definition (from the Environmental Sentencing Guidelines), with a turnover (or equivalent) of >£50 million. Some smaller OES may fit instead into the medium sized organisation, with turnover (or equivalent) of between £10m and £50m. For medium sized companies, alternatives to tables 8, 9, 10 and 11 are provided in appendix 5, as tables 12, 13, 14 and 15, which will be used instead, in the calculations of any fines for these organisations. Given the size criteria for an organisation to be designated an OES, it is unlikely that any OES will be small or micro sized organisations.
7.1 Calculation of a Penalty
In the calculation of all fines, the level of culpability is determined, based on the definitions in table 3 below.
Culpability | Definition |
|---|---|
|
Deliberate |
Deliberate Intentional breach of or flagrant disregard for the law by person(s) whose position of responsibility in the organisation is such that their acts/omissions can properly be attributed to the organisation; OR deliberate failure by organisation to put in place and to enforce such systems as could reasonably be expected in all the circumstances to avoid the regulatory breach(es). |
|
Reckless |
Actual foresight of, or wilful blindness to, risk of offending but risk nevertheless taken by person(s) whose position of responsibility in the organisation is such that their acts/ omissions can properly be attributed to the organisation; OR reckless failure by organisation to put in place and to enforce such systems as could reasonably be expected in all the circumstances to avoid the regulatory breach(es). |
|
Negligent |
Failure by the organisation as a whole to take reasonable care to put in place and enforce proper systems for avoiding the regulatory breach(es). |
|
Low or no culpability |
Regulatory breach(es) occurred with little or no fault on the part of the organisation as a whole, for example by accident or the act of a rogue employee and despite the presence and due enforcement of all reasonably required preventive measures, or where such proper preventive measures were unforeseeably overcome by exceptional events. |
Non-material Contraventions
The non-material contraventions (as detailed above) are assigned a category, based on their seriousness, as detailed in table 4 below.
Enforceable Action | Category |
|---|---|
Failure to comply with a regulation 16(1)(c) direction |
1 |
Failure to comply with an information notice under regulation 15 |
2 |
Failure to notify the CA under regulation 8A or 8(2) |
3 |
Failure to comply with regulation 16(3) requirement |
4 |
The size of penalty is determined by referencing to the culpability and category to the ranges in table 8 (appendix 1). Aggravating or mitigating circumstances will then be applied and increase or decrease the penalty within the range, as appropriate from the starting point.
Material Contraventions
Material contraventions are assigned a category, based on their seriousness, as detailed in table 5, below.
Enforceable Action | Seriousness |
|---|---|
Failure to fulfil the security duties under regulation 10(1) and (2), OR Failure to comply with a duty set out in regulation 17 (3A). |
1 |
Failure to notify a NIS incident under regulation 11(1). OR Failure to notify an incident as required by regulation 12(9). |
2 |
Failure to comply with the notification requirements stipulated in regulation 11(3). |
3 |
Material contraventions with no impact or potential impact on the essential service
Where there is no impact or potential impact on the essential service, the size of penalty is determined by referencing to the culpability and category to the ranges in table 9 (appendix 2). Aggravating or mitigating circumstances will then be applied and increase or decrease the penalty within the range, as appropriate from the starting point.
Material contraventions with an impact or potential impact to the essential service
To ensure that penalties are reflective of the actual impact, we apply two sets of bands, which are dependent on the level of impact or potential impact.
The essential service in this case is the supply of wholesome drinking water to consumers. An impact is defined as a direct loss of supply and/or pressure, or a breach of regulation 4 of the Water Supply (Water Quality) Regulations 2016 (as amended or the Water Supply (Water Quality) Regulations 2018 (Wales).
The proportion of the OES’ consumers affected (or potentially affected) is used to categorise the impact, as set out in table 6.
Impact or Risk (Potential Impact) | Score |
|---|---|
Serious, widespread impact or risk of impact (>76% of total population supplied by OES impacted). |
1 |
Significant impact or risk of impact (51% – 75% of total population supplied by OES impacted). |
2 |
Minor, localised impact or risk of impact (26% – 50% of total population supplied by OES impacted) |
3 |
Low impact (<26% of total population supplied by OES impacted). |
4 |
The size of penalty is determined by referencing to the culpability, category and impact to the ranges in tables 10 (appendix 3) or 11 (appendix 4), depending on where there is an actual or potential impact. Aggravating or mitigating circumstances will then be applied and increase or decrease the penalty within the range, as appropriate from the starting point.
7.2 Aggravating or mitigating circumstances
This list contains some examples of mitigating or aggravating factors that may be taken into account when deciding the position a fine should be set at, within a penalty band. It is not exhaustive and is for illustrative purposes only.
Aggravating factors | Mitigating factors |
|---|---|
|
OES did not cooperate with DWI investigation or hampered the investigation. |
OES fully cooperated with the DWI and assisted in the investigation. |
|
OES sought not to engage or attempted to cover up the event. |
OES engaged with DWI and NCSC as soon as reasonably practicable. |
|
The essential service was not protected as a priority. |
The protection of the essential service was prioritised. |
7.3 Considerations in relation to penalties
When considering whether to take specific action in relation to the NIS Regulations, the Inspectorate will consider whether its action is reasonable and proportionate, and, where possible, take the following (but not limited to) factors into account:
- The impact or potential impact of the regulatory breach on consumers, having regard to our strategic objectives.
- The implications of the regulatory breach for the credibility and enforcement of the regulatory regime.
- The perceived benefit accruing to the offender from not being duly diligent.
- Whether the regulatory breach occurred because of deliberate action, as opposed to whether it occurred accidentally or was a genuine mistake.
- Whether Inspectors were obstructed in the course of their duties.
- Whether the OES has been issued with previous written advice or guidance from us which, if followed, would have reduced the likelihood of a regulatory breach being committed.
- The previous enforcement record of the OES.
- The attitude of the OES representatives, including behaviour towards Inspectors, and whether robust and permanent corrective measures to remedy the regulatory breach or prevent any reoccurrence are or have been put in place.
- The risk of other similar regulatory breach being committed by the OES.
- The general deterrence of others who may be tempted to offend.
- Whether false or misleading evidence has been provided.
- Whether the regulatory breach is motivated by financial gain.
- Whether the regulatory breach arose from unusual circumstances where the situation could not have been foreseen or reasonable precautions have previously avoided the situation; and reasonable steps were taken to mitigate the matter and the appropriate authorities promptly notified.
8. Enforcement by Civil Proceedings
Further enforcement by civil proceedings can be initiated where the Inspectorate has reasonable grounds to believe that the OES has failed to comply with the requirements of an enforcement notice as required by regulation 17(3A).
The Inspectorate can pursue an injunction to enforce the duty in regulation 17(3A), under regulation A20(1) and A20(4). Civil proceedings can also be commenced by the Inspectorate for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or for any other appropriate remedy or relief.
Civil proceedings can be brought as above by the Inspectorate irrespective of an ongoing OES appeal to the First-tier Tribunal (see section 10 of this policy). However, if the Tribunal has granted suspension of the effect of the whole or part of a relevant and related decision under regulation 19B(2), this would mean that the Inspectorate could not bring or continue proceedings against this aspect of the decision until the suspension was lifted or an outcome was reached by the Tribunal.
The Inspectorate may not commence civil proceedings on the OES before the end of a period of 28 days, beginning with the day on which the relevant enforcement notice was served on the OES.
The enforcement powers available to the Inspectorate are not mutually exclusive and, in some circumstances, will be used in combination. Where a NIS incident leads to an impact on water supply or quality, we are able to take action under both the NIS Regulations and the Water Quality Regulations (refer to separate Drinking Water Quality Enforcement Policy)[10].
Where the focus of enforcement occurs across national boundaries, we will outline how this specifically affects an OES, or affiliated OESs in any communications.
If there is evidence of an immediate risk to the security of supply, enforcement action may be initiated without a period for representations.
9. Procedure for OES Challenge
9.1 First-tier Tribunal
The OES can write to the General Regulatory Chamber[11] to have the case heard by the First-tier Tribunal.
An OES may appeal to the First-tier Tribunal against:
- A decision under regulation 8(3) to designate that person as an OES;
- A decision under regulation 9(1) or (2) to revoke the designation of that OES;
- A decision under regulation 17(1) to serve an enforcement notice on that OES; and
- A decision under regulation 18A(3A) to serve a penalty notice with a final penalty decision on that OES.
An OES may appeal the decisions listed above on the grounds that (detailed under regulation 19A(3):
- The decision was based on a material error as to the facts;
- Any of the procedural requirements under the NIS Regulations in relation to the decision have not been complied with and the interest of the OES have been substantially prejudiced by the non-compliance;
- The decision was wrong in law; or
- There was some other material irrationality, including unreasonableness or lack of proportionality, which has substantially prejudiced the interests of the OES.
The First-tier Tribunal may confirm or quash the whole or part of any decision to which the appeal relates and may suspend the effect of some decisions until it has determined the appeal.
Where the Tribunal quashes the whole or part of a decision to which the appeal relates, it must remit the matter back to the designated competent authority for the OES with a direction to that authority to reconsider the matter and make a new decision having regard to the ruling of the Tribunal.
9.2 Writing to the Chief Inspector
Alongside the formal procedures given to OES to appeal in the NIS Regulations (the First-tier Tribunal, above), the Inspectorate remain open to feedback in undertaking enforcement. The Chief Executive Officer, or equivalent, of the OES, may make representations to the Chief Inspector in writing.
The Chief Inspector, or by delegation a Deputy Chief Inspector, will discuss the matter as soon as practicable, whereby a final decision will be made, normally within 28 days. Writing to the Chief Inspector is optional and not a prerequisite step before initiating a formal challenge to the First-tier Tribunal.
10. Consultation
This policy was developed in consultation with those we regulate (via Water UK), the Environment Agency, Natural Resources Wales, CC Water, Ofwat, the Department for Environment, Food and Rural Affairs (DEFRA), Welsh Government, the General Regulatory Chamber and the Department for Science, Innovation and Technology (DSIT). It replaces the Inspectorate’s previous Enforcement Policy dated September 2021.
Any questions regarding this policy should be addressed to DWI.Enforcement@defra.gov.uk
11. Appendix 1 – Penalty ranges for non-material breaches
Category of breach | Starting Point | Range |
|---|---|---|
|
Deliberate | ||
|
Category 1 |
£825,000 |
£750,000 – £1,000,000 |
|
Category 2 |
£825,000 |
£750,000 – £1,000,000 |
|
Category 3 |
£625,000 |
£500,000 – £750,000 |
|
Category 4 |
£375,000 |
£250,000 – £500,000 |
|
Reckless | ||
|
Category 1 |
£625,000 |
£500,000 – £750,000 |
|
Category 2 |
£625,000 |
£500,000 – £750,000 |
|
Category 3 |
£375,000 |
£250,000 – £500,000 |
|
Category 4 |
£125,000 |
£0 – 250,000 |
|
Negligent | ||
|
Category 1 |
£375,000 |
£250,000 – £500,000 |
|
Category 2 |
£375,000 |
£250,000 – £500,000 |
|
Category 3 |
£125,000 |
£0 – £250,000 |
|
Category 4 |
£125,000 |
£0 – £250,000 |
|
Low / No culpability | ||
|
Category 1 |
No fine | |
|
Category 2 |
No fine | |
|
Category 3 |
No fine | |
|
Category 4 |
No fine |
12. Appendix 2 – Penalty Ranges for material breaches with no impact and no potential impact on the essential service
Table – Penalty ranges for material breaches with no impact and no potential impact on the essential service
Category of breach | Starting Point | Range |
|---|---|---|
|
Deliberate | ||
|
Category 1 |
£7,250,000 |
£6,000,000 – £8,500,000 |
|
Category 2 |
£7,250,000 |
£6,000,000 – £8,500,000 |
|
Category 3 |
£4,750,000 |
£3,500,000 – £6,000,000 |
|
Reckless | ||
|
Category 1 |
£7,250,000 |
£6,000,000 – £8,500,000 |
|
Category 2 |
£4,750,000 |
£3,500,000 – £6,000,000 |
|
Category 3 |
£4,750,000 |
£3,500,000 – £6,000,000 |
|
Negligent | ||
|
Category 1 |
£4,750,000 |
£3,500,000 – £6,000,000 |
|
Category 2 |
£2,250,000 |
£1,000,000 – £3,500,000 |
|
Category 3 |
£2,250,000 |
£1,000,000 – £3,500,000 |
|
Low / No culpability | ||
|
Category 1 |
No fine | |
|
Category 2 |
No fine | |
|
Category 3 |
No fine |
13. Appendix 3 – Penalty Ranges for material breaches with a potential impact on the essential service
Category of breach | Impact | Starting Point | Range |
|---|---|---|---|
|
Deliberate | |||
|
Category 1 |
Impact 1 |
£11,000,000 |
£10,000,000 – £12,000,000 |
|
Impact 2 |
£9,000,000 |
£8,000,000 – £10,000,000 | |
|
Impact 3 |
£7,000,000 |
£6,000,000 – £8,000,000 | |
|
Impact 4 |
£5,000,000 |
£4,000,000 – £6,000,000 | |
|
Category 2 |
Impact 1 |
£9,000,000 |
£8,000,000 – £10,000,000 |
|
Impact 2 |
£7,000,000 |
£6,000,000 – £8,000,000 | |
|
Impact 3 |
£5,000,000 |
£4,000,000 – £6,000,000 | |
|
Impact 4 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Category 3 |
Impact 1 |
£5,000,000 |
£4,000,000 – £6,000,000 |
|
Impact 2 |
£5,000,000 |
£4,000,000 – £6,000,000 | |
|
Impact 3 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 4 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Reckless | |||
|
Category 1 |
Impact 1 |
£7,000,000 |
£6,000,000 – £8,000,000 |
|
Impact 2 |
£7,000,000 |
£6,000,000 – £8,000,000 | |
|
Impact 3 |
£5,000,000 |
£4,000,000 – £6,000,000 | |
|
Impact 4 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Category 2 |
Impact 1 |
£5,000,000 |
£4,000,000 – £6,000,000 |
|
Impact 2 |
£5,000,000 |
£4,000,000 – £6,000,000 | |
|
Impact 3 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 4 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Category 3 |
Impact 1 |
£3,000,000 |
£2,000,000 – £4,000,000 |
|
Impact 2 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 3 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
|
Negligent | |||
|
Category 1 |
Impact 1 |
£3,000,000 |
£2,000,000 – £4,000,000 |
|
Impact 2 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 3 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
|
Category 2 |
Impact 1 |
£3,000,000 |
£2,000,000 – £4,000,000 |
|
Impact 2 |
£3,000,000 |
£2,000,000 – £4,000,000 | |
|
Impact 3 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
|
Category 3 |
Impact 1 |
£1,000,000 |
£0 – £2,000,000 |
|
Impact 2 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 3 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
|
Low / No culpability | |||
|
Category 1 |
Impact 1 |
£1,000,000 |
£0 – £2,000,000 |
|
Impact 2 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 3 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
|
Category 2 |
Impact 1 |
£1,000,000 |
£0 – £2,000,000 |
|
Impact 2 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 3 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
|
Category 3 |
Impact 1 |
£1,000,000 |
£0 – £2,000,000 |
|
Impact 2 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 3 |
£1,000,000 |
£0 – £2,000,000 | |
|
Impact 4 |
£1,000,000 |
£0 – £2,000,000 | |
14. Appendix 4 – Penalty Ranges for material breaches with an impact on the essential service
Category of breach | Impact | Starting Point | Range |
|---|---|---|---|
|
Deliberate | |||
|
Category 1 |
Impact 1 |
£15,600,000 |
£14,200,000 – £17,000,000 |
|
Impact 2 |
£12,750,000 |
£11,300,000 – £14,200,000 | |
|
Impact 3 |
£9,950,000 |
£8,500,000 – £11,300,000 | |
|
Impact 4 |
£7,100,000 |
£5,700,000 – £8,500,000 | |
|
Category 2 |
Impact 1 |
£12,750,000 |
£11,300,000 – £14,200,000 |
|
Impact 2 |
£9,950,000 |
£8,500,000 – £11,300,000 | |
|
Impact 3 |
£7,100,000 |
£5,700,000 – £8,500,000 | |
|
Impact 4 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Category 3 |
Impact 1 |
£7,100,000 |
£5,700,000 – £8,500,000 |
|
Impact 2 |
£7,100,000 |
£5,700,000 – £8,500,000 | |
|
Impact 3 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 4 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Reckless | |||
|
Category 1 |
Impact 1 |
£9,950,000 |
£8,500,000 – £11,300,000 |
|
Impact 2 |
£9,950,000 |
£8,500,000 – £11,300,000 | |
|
Impact 3 |
£7,100,000 |
£5,700,000 – £8,500,000 | |
|
Impact 4 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Category 2 |
Impact 1 |
£7,100,000 |
£5,700,000 – £8,500,000 |
|
Impact 2 |
£7,100,000 |
£5,700,000 – £8,500,000 | |
|
Impact 3 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 4 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Category 3 |
Impact 1 |
£4,250,000 |
£2,800,000 – £5,700,000 |
|
Impact 2 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 3 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
|
Negligent | |||
|
Category 1 |
Impact 1 |
£4,250,000 |
£2,800,000 – £5,700,000 |
|
Impact 2 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 3 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
|
Category 2 |
Impact 1 |
£4,250,000 |
£2,800,000 – £5,700,000 |
|
Impact 2 |
£4,250,000 |
£2,800,000 – £5,700,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
|
Category 3 |
Impact 1 |
£1,400,000 |
£0 – £2,800,000 |
|
Impact 2 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
|
Low / No culpability | |||
|
Category 1 |
Impact 1 |
£1,400,000 |
£0 – £2,800,000 |
|
Impact 2 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
|
Category 2 |
Impact 1 |
£1,400,000 |
£0 – £2,800,000 |
|
Impact 2 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
|
Category 3 |
Impact 1 |
£1,400,000 |
£0 – £2,800,000 |
|
Impact 2 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £2,800,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £2,800,000 | |
15. Appendix 5 – Alternative penalty range values for medium sized companies
Category of breach | Starting Point | Range |
|---|---|---|
|
Deliberate | ||
|
Category 1 |
£165,000 |
£150,000 – £200,000 |
|
Category 2 |
£165,000 |
£150,000 – £200,000 |
|
Category 3 |
£125,000 |
£100,000 – £150,000 |
|
Category 4 |
£75,000 |
£50,000 – £100,000 |
|
Reckless | ||
|
Category 1 |
£125,000 |
£100,000 – £150,000 |
|
Category 2 |
£125,000 |
£100,000 – £150,000 |
|
Category 3 |
£75,000 |
£20,000 – £100,000 |
|
Category 4 |
£25,000 |
£0 – £50,000 |
|
Negligent | ||
|
Category 1 |
£75,000 |
£20,000 – £100,000 |
|
Category 2 |
£75,000 |
£20,000 – £100,000 |
|
Category 3 |
£25,000 |
£0 – £50,000 |
|
Category 4 |
£25,000 |
£0 – £50,000 |
|
Low / No culpability | ||
|
Category 1 |
No fine | |
|
Category 2 |
No fine | |
|
Category 3 |
No fine | |
|
Category 4 |
No fine |
Category of breach | Starting Point | Range |
|---|---|---|
|
Deliberate | ||
|
Category 1 |
£1,450,000 |
£1,200,000 – £1,700,000 |
|
Category 2 |
£1,450,000 |
£1,200,000 – £1,700,000 |
|
Category 3 |
£950,0000 |
£700,000 – £1,200,000 |
|
Reckless | ||
|
Category 1 |
£1,450,000 |
£1,200,000 – £1,700,000 |
|
Category 2 |
£950,000 |
£700,000 – £1,200,000 |
|
Category 3 |
£950,000 |
£700,000 – £1,200,000 |
|
Negligent | ||
|
Category 1 |
£950,000 |
£700,000 – £1,200,000 |
|
Category 2 |
£450,000 |
£200,000 – £700,000 |
|
Category 3 |
£450,000 |
£200,000 – £700,000 |
|
Low / No culpability | ||
|
Category 1 |
No fine | |
|
Category 2 |
No fine | |
|
Category 3 |
No fine |
Category of breach | Impact | Starting Point | Range |
|---|---|---|---|
|
Deliberate | |||
|
Category 1 |
Impact 1 |
£2,200,000 |
£2,000,000 – £2,400,000 |
|
Impact 2 |
£1,800,000 |
£1,600,000 – £2,000,000 | |
|
Impact 3 |
£1,400,000 |
£1,200,000 – £1,600,000 | |
|
Impact 4 |
£1,000,000 |
£800,000 – £1,500,000 | |
|
Category 2 |
Impact 1 |
£2,200,000 |
£1,600,000 – £2,000,000 |
|
Impact 2 |
£1,400,000 |
£1,200,000 – £1,600,000 | |
|
Impact 3 |
£1,000,000 |
£800,000 – £1,500,000 | |
|
Impact 4 |
£600,000 |
£400,000 – £800,000 | |
|
Category 3 |
Impact 1 |
£1,000,000 |
£800,000 – £1,500,000 |
|
Impact 2 |
£1,000,000 |
£800,000 – £1,500,000 | |
|
Impact 3 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 4 |
£600,000 |
£400,000 – £800,000 | |
|
Reckless | |||
|
Category 1 |
Impact 1 |
£1,400,000 |
£1,200,000 – £1,600,000 |
|
Impact 2 |
£1,400,000 |
£1,200,000 – £1,600,000 | |
|
Impact 3 |
£1,000,000 |
£800,000 – £1,500,000 | |
|
Impact 4 |
£600,000 |
£400,000 – £800,000 | |
|
Category 2 |
Impact 1 |
£1,000,000 |
£800,000 – £1,500,000 |
|
Impact 2 |
£1,000,000 |
£800,000 – £1,500,000 | |
|
Impact 3 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 4 |
£600,000 |
£400,000 – £800,000 | |
|
Category 3 |
Impact 1 |
£600,000 |
£400,000 – £800,000 |
|
Impact 2 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 3 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Negligent | |||
|
Category 1 |
Impact 1 |
£600,000 |
£400,000 – £800,000 |
|
Impact 2 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 3 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Category 2 |
Impact 1 |
£600,000 |
£400,000 – £800,000 |
|
Impact 2 |
£600,000 |
£400,000 – £800,000 | |
|
Impact 3 |
£200,000 |
£0 – £400,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Category 3 |
Impact 1 |
£200,000 |
£0 – £400,000 |
|
Impact 2 |
£200,000 |
£0 – £400,000 | |
|
Impact 3 |
£200,000 |
£0 – £400,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Low / No culpability | |||
|
Category 1 |
Impact 1 |
£200,000 |
£0 – £400,000 |
|
Impact 2 |
£200,000 |
£0 – £400,000 | |
|
Impact 3 |
£200,000 |
£0 – £400,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Category 2 |
Impact 1 |
£200,000 |
£0 – £400,000 |
|
Impact 2 |
£200,000 |
£0 – £400,000 | |
|
Impact 3 |
£200,000 |
£0 – £400,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Category 3 |
Impact 1 |
£200,000 |
£0 – £400,000 |
|
Impact 2 |
£200,000 |
£0 – £400,000 | |
|
Impact 3 |
£200,000 |
£0 – £400,000 | |
|
Impact 4 |
£200,000 |
£0 – £400,000 | |
|
Starting Point |
Range | ||
|
Deliberate | |||
|
Category 1 |
Impact 1 |
£15,600,000 |
£2,840,000 – £3,400,000 |
|
Impact 2 |
£12,750,000 |
£2,260,000 – £2,840,000 | |
|
Impact 3 |
£9,950,000 |
£1,700,000 – £2,260,000 | |
|
Impact 4 |
£7,100,000 |
£1,140,000 – £1,700,000 | |
|
Category 2 |
Impact 1 |
£12,750,000 |
£2,260,000 – £2,840,000 |
|
Impact 2 |
£9,950,000 |
£1,700,000 – £2,260,000 | |
|
Impact 3 |
£7,100,000 |
£1,140,000 – £1,700,000 | |
|
Impact 4 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Category 3 |
Impact 1 |
£7,100,000 |
£1,140,000 – £1,700,000 |
|
Impact 2 |
£7,100,000 |
£1,140,000 – £1,700,000 | |
|
Impact 3 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 4 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Reckless | |||
|
Category 1 |
Impact 1 |
£9,950,000 |
£1,700,000 – £2,260,000 |
|
Impact 2 |
£9,950,000 |
£1,700,000 – £2,260,000 | |
|
Impact 3 |
£7,100,000 |
£1,140,000 – £1,700,000 | |
|
Impact 4 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Category 2 |
Impact 1 |
£7,100,000 |
£1,140,000 – £1,700,000 |
|
Impact 2 |
£7,100,000 |
£1,140,000 – £1,700,000 | |
|
Impact 3 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 4 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Category 3 |
Impact 1 |
£4,250,000 |
£560,000 – £1,140,000 |
|
Impact 2 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 3 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
|
Negligent | |||
|
Category 1 |
Impact 1 |
£4,250,000 |
£560,000 – £1,140,000 |
|
Impact 2 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 3 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
|
Category 2 |
Impact 1 |
£4,250,000 |
£560,000 – £1,140,000 |
|
Impact 2 |
£4,250,000 |
£560,000 – £1,140,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
|
Category 3 |
Impact 1 |
£1,400,000 |
£0 – £560,000 |
|
Impact 2 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
|
Low / No culpability | |||
|
Category 1 |
Impact 1 |
£1,400,000 |
£0 – £560,000 |
|
Impact 2 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
|
Category 2 |
Impact 1 |
£1,400,000 |
£0 – £560,000 |
|
Impact 2 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
|
Category 3 |
Impact 1 |
£1,400,000 |
£0 – £560,000 |
|
Impact 2 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 3 |
£1,400,000 |
£0 – £560,000 | |
|
Impact 4 |
£1,400,000 |
£0 – £560,000 | |
https://www.dwi.gov.uk/what-we-do/our-strategic-objectives/ ↑
NIS Regulations: Guidance for Competent Authorities – GOV.UK ↑
https://www.legislation.gov.uk/ukpga/2006/51/contents ↑
https://www.legislation.gov.uk/uksi/2007/3544 ↑
https://www.gov.uk/government/publications/regulators-code ↑
Statutory Guidance under section 110(6) of the Deregulation Act 2015, Growth Duty: Statutory Guidance (publishing.service.gov.uk). This guidance concerns the performance of the growth duty in section 108 of the Act and sets out ways in which regulators can exercise their regulatory functions in accordance with the growth duty. ↑
https://cdn.dwi.gov.uk/wp-content/uploads/2022/01/27161338/DWI-Complaints-procedure.pdf ↑
https://www.sentencingcouncil.org.uk/wp-content/uploads/Final_Environmental_Offences_Definitive_Guideline_web1.pdf ↑
Enforcement Policy – Drinking Water Quality Regulation – Drinking Water Inspectorate ↑
https://www.gov.uk/courts-tribunals/first-tier-tribunal-general-regulatory-chamber ↑