The NIS Regulations 2018

The Security of Network & Information Systems Regulations (NIS Regulations) provide legal measures to boost the level of security (both cyber & physical resilience) of network and information systems for the provision of essential services and digital services.

As our reliance on technology grows, the failure of network and information systems has a bigger impact, and there are more opportunities to compromise those systems. Responding to this threat is an essential requirement for a prosperous UK economy. We need to secure critical network and information systems in order to keep our businesses, citizens and public services protected.

The government therefore laid the Network and Information Systems Regulations 2018 (NIS Regulations) in the Houses of Parliament on 20 April 2018. The NIS Regulations came into force on 10 May 2018, you can read the regulations here.

The NIS Regulations provides legal measures to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of digital services (online marketplaces, online search engines, cloud computing services) and essential services (transport, energy, water, health, and digital infrastructure services).

This work is part of the government’s £1.9 billion National Cyber Security Strategy to protect the UK in cyber space and make the UK the safest place to live and work online.

Call for views on amendments to the regulations

The regulations were reviewed in May 2020, two years after their implementation.

Following this review, the government is now considering amendments to the NIS Regulations in order to implement many of the recommendations of the review. The full details are set out in a call for views which you can respond to here. The deadline for responses is 23:59 on Friday 25 September 2020.

Guidance for Competent Authorities

The NIS Regulations establish multiple competent authorities which are responsible for the oversight and enforcement of the NIS Regulations in each sector or region covered by the NIS Regulations. The Government has published guidance for the Competent Authorities to help them carry out their functions under the NIS Regulations. The guidance can be found here.

Impact Assessment

An assessment detailing the expected impact of the NIS Regulations was published on 20 April 2018. You can read the impact assessment here.

Public Consultation on the NIS Directive

The Government held a public consultation from August to September 2017 on its proposals to implement the NIS Directive. The Government’s response to the public consultation was published on 29 January 2018. All relevant information on the public consultation can be found here.

Targeted Consultation on Digital Service Providers

Subsequent to the Government’s response, the Implementing Act was published in the Official Journal of the European Union on 30 January 2018 and can be found on the EUR-LEX website. In March 2018, the Government published a targeted consultation on the implementation of the NIS Directive and its associated Implementing Act for digital service providers. The Government’s response to the targeted consultation was published on 31 August 2018. All relevant information on the targeted consultation can be found here.

EU Exit Guidance for Digital Service Providers Established in the UK

When the UK departs the EU, digital service providers established in the UK that offer services in another EU Member State must designate a representative in an EU Member State where they offer services. The Government has published guidance explaining how relevant digital service providers can prepare for this eventuality. The guidance can be found here.

Digital Service Providers (Brexit) Consultation

Following the UK’s departure from the EU, the UK proposes to introduce a requirement in the NIS Regulations for non-UK based Digital Service Providers (DSPs) operating in the UK to designate a representative in this country, and be subject to the regulatory authority of the ICO. A call for views was open from March 2019 to June 2019 to seek views on the Government’s intention to include this new requirement in the NIS Regulations. The Government’s response to the call for views was published on 24 July 2019. All relevant information on this consultation can be found here.

Review of the NIS Regulations - May 2020

The Government has conducted a Post-Implementation Review of the Network & Information Systems Regulations, two years after their implementation in May 2018.

The Review suggests that, while it is too early to judge the long term impact of the regulations, organisations are taking measures to ensure the security of their networks and information systems as a result of the Regulations being in place. We expect this action is leading to a reduction in the risks posed to essential services and important digital services which rely on networks and information systems. You can read the full Review here.

Published 20 April 2018
Last updated 15 September 2020 + show all updates
  1. Added a link to the Call for Views on amendments to the regulations. The deadline for responding to the call for views is Friday 25 September 2020.

  2. Added a link to the Post-Implementation Review of the NIS Regulations (May 2020.) The review assesses the impact of the regulations two years after their introduction.

  3. We have added a link to EU Exit guidance for the NIS Regulation

  4. First published.