Collection

The NIS Regulations 2018

The Security of Network & Information Systems Regulations (NIS Regulations) provide legal measures to boost the level of security (both cyber & physical resilience) of network and information systems for the provision of essential services and digital services.

• From: Department for Digital, Culture, Media & Sport
• Published: 20 April 2018
• Last updated: 4 January 2023 — See all updates

As our reliance on technology grows, the failure of network and information systems has a bigger impact, and there are more opportunities to compromise those systems. Responding to this threat is an essential requirement for a prosperous UK economy. We need to secure critical network and information systems in order to keep our businesses, citizens and public services protected.

The government therefore laid the Network and Information Systems Regulations 2018 (NIS Regulations) in the Houses of Parliament on 20 April 2018. The NIS Regulations came into force on 10 May 2018, you can read the regulations here.

The NIS Regulations provides legal measures to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of digital services (online marketplaces, online search engines, cloud computing services) and essential services (transport, energy, water, health, and digital infrastructure services).

This work is part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online.

Recent proposals to update the NIS regulations (Dec 2022)

Following a consultation in 2022 the government announced its intention to update the NIS regulations to improve the UK’s cyber resilience. The changes include:

• bringing managed service providers (MSPs) into scope of the regulations to keep digital supply chains secure
• improving cyber incident reporting to regulators
• establishing a cost recovery system for enforcing the NIS regulations
• giving the government the power to amend the NIS regulations in future to ensure they remain effective
• enabling the Information Commissioner to take a more risk-based approach to regulating digital services.

These updates to the NIS regulations will be made as soon as parliamentary time allows.

EU Exit Guidance for Digital Service Providers Established in the UK (Dec 2020)

When the UK departs the EU, digital service providers established in the UK that offer services in another EU Member State must designate a representative in an EU Member State where they offer services. The Government has published guidance explaining how relevant digital service providers can prepare for this eventuality. The guidance can be found here.

Call for views on amendments to the regulations (Sept 2020)

The regulations were reviewed in May 2020, two years after their implementation.

Following this review, the government considered amendments to the NIS Regulations in order to implement many of the recommendations of the review. The full details were set out in a call for views which was held in September 2020.

Review of the NIS Regulations (May 2020)

The Government has conducted a Post-Implementation Review of the Network & Information Systems Regulations, two years after their implementation in May 2018.

The Review suggests that, while it is too early to judge the long term impact of the regulations, organisations are taking measures to ensure the security of their networks and information systems as a result of the Regulations being in place. We expect this action is leading to a reduction in the risks posed to essential services and important digital services which rely on networks and information systems. You can read the full Review here.

Digital Service Providers (Brexit) Consultation (July 2019)

Following the UK’s departure from the EU, the UK proposes to introduce a requirement in the NIS Regulations for non-UK based Digital Service Providers (DSPs) operating in the UK to designate a representative in this country, and be subject to the regulatory authority of the ICO. A call for views was open from March 2019 to June 2019 to seek views on the Government’s intention to include this new requirement in the NIS Regulations. The Government’s response to the call for views was published on 24 July 2019. All relevant information on this consultation can be found here.

Targeted Consultation on Digital Service Providers (Aug 2018)

Subsequent to the Government’s response, the Implementing Act was published in the Official Journal of the European Union on 30 January 2018 and can be found on the EUR-LEX website. In March 2018, the Government published a targeted consultation on the implementation of the NIS Directive and its associated Implementing Act for digital service providers. The Government’s response to the targeted consultation was published on 31 August 2018. All relevant information on the targeted consultation can be found here.

Guidance for Competent Authorities (April 2018)

The NIS Regulations establish multiple competent authorities which are responsible for the oversight and enforcement of the NIS Regulations in each sector or region covered by the NIS Regulations. The Government has published guidance for the Competent Authorities to help them carry out their functions under the NIS Regulations. The guidance can be found here.

Impact Assessment (April 2018)

An assessment detailing the expected impact of the NIS Regulations was published on 20 April 2018. You can read the impact assessment here.

Public Consultation on the NIS Directive (Jan 2018)

The Government held a public consultation from August to September 2017 on its proposals to implement the NIS Directive. The Government’s response to the public consultation was published on 29 January 2018. All relevant information on the public consultation can be found here.

Documents

• Cyber laws updated to boost UK’s resilience against online attacks
  • 30 November 2022
  • Press release
• Proposal for legislation to improve the UK’s cyber resilience
  • 30 November 2022
  • Consultation outcome
• Second Post-Implementation Review of the Network and Information Systems Regulations 2018
  • 27 July 2022
  • Policy paper
• Review of the Network and Information Systems Regulations
  • 29 May 2020
  • Policy paper

Published 20 April 2018
Last updated 4 January 2023 + show all updates

1. 4 January 2023

   Added details of the recent government consultation response, which explains the NIS regulations will be updated as soon as Parliamentary times allows.

2. 15 September 2020

   Added a link to the Call for Views on amendments to the regulations. The deadline for responding to the call for views is Friday 25 September 2020.

3. 26 June 2020

   Added a link to the Post-Implementation Review of the NIS Regulations (May 2020.) The review assesses the impact of the regulations two years after their introduction.

4. 30 January 2019

   We have added a link to EU Exit guidance for the NIS Regulation

5. 20 April 2018

   First published.