Guidance

Enforcement management model: transport sector

Published 26 March 2024

Applies to England and Wales

This guidance provides an overview of the Department for Transport’s (DfT) approach to enforcement in respect of cyber compliance under the Network and Information Systems Regulations 2018 (NIS regulations).

It sets out DfT’s enforcement approach in the form of a 3-step enforcement management model (EMM) to be used by DfT’s cyber compliance team (CCT) in making enforcement decisions for operators of essential services (OES).

This guidance applies to those organisations that are designated as OES within the rail, road, and maritime areas of the transport sector in the UK.

OES in the aviation sector are covered by the Civil Aviation Authority (CAA), meaning DfT is a co-competent authority with the CAA for these OES. The CAA oversee relationships with aviation OES, but enforcement is reserved to DfT. This guidance, therefore, also relates to OES in aviation.

The guidance is designed to assist OES in complying with their security obligations under the NIS regulations. It establishes the principle that DfT’s CCT rely on to determine the appropriate enforcement action to take in response to instances of non-compliance with the NIS regulations. It also provides an overview of the enforcement mechanisms available to DfT in its role as a competent authority under the NIS regulations and provides guidance to CCT inspectors to assist them in making reasonable and proportionate enforcement decisions in response to breaches of the NIS regulations.

The NIS regulations require competent authorities, including DfT, to publish guidance in any form or manner the competent authority considers appropriate. In the DfT’s previous guidance, information that builds upon enforcement is set out in part 5 of the guide and should be read in conjunction with this enforcement guide. See the published general guidance to support OES in the transport sector for more information.

DfT will periodically review this guide in response to feedback and in respect of any relevant regulatory learnings. DfT may also review its case assessment process and may change it based on experience.

Where DfT makes any substantive amendments to its enforcement approach, these changes will be published before implementation. DfT will assess each enforcement case against the guidance applicable at the time.

This guidance is not a substitute for any regulation or law and does not constitute legal advice. Individual OES are advised to seek independent legal advice about how the NIS regulations apply to them and concerning any potential enforcement action that may be taken against them in the event of non-compliance.

Regulating compliance with the NIS regulations

DfT’s enforcement management model sets out a 3-step approach to enforcement that DfT will apply when an OES has not, or will not, comply with requirements or obligations imposed under the NIS regulations. DfT will apply its EMM reasonably and proportionately according to cyber or non-compliance instances.

DfT’s cyber compliance inspectors, and inspectors of the Civil Aviation Authority (CAA), can regularly monitor an OES’ response to identified shortfalls and, where necessary, directly resolve issues where operators fail to respond appropriately rather than referring to the EMM and taking enforcement action.

DfT’s cyber compliance inspectors set out and record the factors they have considered to make enforcement-related decisions. They also provide these reasons to any OES subject to enforcement action.

Where DfT is considering taking enforcement action in respect of an OES that may overlap with potential enforcement action being considered by another competent authority. For example the Information Commissioner’s Office in respect of a breach of the UK GDPR. It will be for the competent authorities involved to agree on whether to act in conjunction, concurrently or consecutively.

DfT is aware of the potential of double jeopardy and will work with other competent authorities to ensure any regulatory action is proportionate and appropriate.

DfT’s enforcement powers and functions under the NIS regulations

The NIS regulations establish several enforcement powers and functions that are available to designated competent authorities responsible for administering these regulations in specific subsectors.

Enforcement powers available to competent authorities ensure OES satisfies the requirements imposed under the NIS regulations. Compliance is essential to provide the security and ongoing capability of the network and information systems the UK’s essential services rely on.

DfT’s enforcement powers and functions include the following aspects.

Power to issue information notices

Under regulation 15, competent authorities have the power to issue information notices to:

• assess if a person should be an OES, or

• obtain information the competent authority reasonably requires from an individual OES to assess, among other matters, the:

  • security of the OES’ network and information systems
  • OES’ level of compliance with its obligations under the NIS Regulations – including the extent to an individual OES has implemented appropriate security policies

Power to conduct inspections

Under regulation 16, competent authorities have the power to conduct inspections in respect of individual OES either directly or through a person appointed by the competent authority (or the OES on the direction of the competent authority) to inspect on its behalf.

OES must comply with certain requirements during an inspection and inspectors may exercise specific powers during an inspection. This includes requiring OES to do certain things, such as facilitating access to premises or providing documents.

Power to issue enforcement notices

Under regulation 17, competent authorities have the power to issue an enforcement notice to an OES when it has reasonable grounds to believe the OES has failed to comply with a duty or duties imposed under the NIS regulations.

Power to provide a notice of intention for a monetary penalty

Under regulation 18, competent authorities have the power to provide an OES with a notice of intention to impose a monetary penalty and impose that penalty if needed following any representations from the OES.

A competent authority may exercise its powers under regulation 18 when it both:

• has reasonable grounds to believe the OES has failed to comply with a duty or duties imposed and referred to in regulation 17(1) or regulation 17(3A) of the NIS regulations
• considers a penalty is warranted having regard to the facts and circumstances of the case

3-step scaled approach to cyber compliance enforcement

DfT has developed a 3-step, scaled approach to enforcement to assist OES in understanding how DfT may use its enforcement powers, under NIS regulations.

This approach intends to encourage OES to comply with their regulatory duties and to assist DfT in assessing and monitoring compliance. If an OES is not compliant, DfT can take several actions to inform and enforce its decisions by using information notices and enforcement notices.

This process is set out in the NIS regulations, which have been designed to give competent authorities as much flexibility as possible for the process any enforcement action takes.

DfT will, where appropriate, initially use informal methods to encourage compliance, such as:

• meeting with OES
• conducting site visits
• discussing through a mixture of informal and formal enforcement mechanisms

This is a non-linear, flexible process as it is not intended for all steps to be followed sequentially. An OES can exit the enforcement process at any stage by complying or working towards it with conditions agreed with DfT’s CCT.

DfT’s CCT will aim to provide reasonable timeframes for OES to address compliance issues. If there is a repeated or obvious failure, the EMM will be used as guidance to determine the appropriate course of action.

Step 1: advise and persuade

When any deficiencies are identified, the initial approach taken by CCT or CAA (as appropriate) will engage and discuss it with the OES. This includes:

• outlining what the failure or issue is
• how and when the issue or failure can be addressed

The CCT or CAA (as appropriate) will seek to agree with the OES the remedial actions required by the OES and when these actions should be completed. Either the CCT or CAA (as appropriate) may wish to follow up with further assessments or audits to ensure action has been taken and any failings have been addressed appropriately and proportionately.

A stronger line may be taken if these actions fail to be addressed within the agreed timeframe. However, this can still stop short of any formal enforcement action.

Where an OES has repeatedly failed to engage with CCT or the CAA’s (as appropriate) informal enforcement measures, including site visits, DfT may consider issuing an information notice under regulation 15 or conducting an inspection under regulation 16.

If justified by the circumstances, it may be appropriate for DfT to issue an information notice and conduct an inspection at the same time. There are no limits on how many information notices DfT can issue or inspections CCT or CAA (as appropriate) can conduct.

Issuing information notices

When DfT considers it appropriate to issue an information notice, it must do so in writing. An information notice will specify the information that DfT requires the OES to provide and the reasons for requesting this information, as well as the form, manner, and timeframe this information must be provided to DfT.

Under regulation 15(1) and (2) of the NIS regulations, information DfT might reasonably require an OES to provide in response to an information notice can be for one or more of the following purposes:

• to establish whether an organisation should be an OES
• to assess the security of an OES’ network and information systems
• to establish if there have been any events when DfT have reasonable grounds to believe have had, are having or could have an adverse impact on the security of an OES’ network and information systems and the nature and impact of those events
• to identify a failure of the OES to comply with any duty set out in the NIS regulations
• to assess the implementation of the OES’ security policies including those agreed upon under an improvement plan or because of an OES completing their improvement plan and entering ‘ongoing compliance’

As set out in the NIS regulations, OES must comply with the requirements of an information notice. Where an OES fails to comply with this notice, the regulations provide for DfT to take further enforcement action in the form of issuing an enforcement notice or penalty, provided it is proportionate and reasonable to take action.

There may be instances where it is necessary to seek information via separate information notices, DfT will work with OES in these instances to set a reasonable timeframe and information disclosure parameters.

Should an OES that is the subject of an information notice identify issues with the information notice, these should be raised promptly in writing with CCT, in most instances via an email to Cybercomplianceteam@dft.gov.uk.

DfT will aim to provide a written response within a reasonable timeframe. Irrespective of having raised a potential issue with CCT, OES should still respond to the information notice in the allowed time.

Step 2: use of enforcement notices

Where DfT’s initial collaborative approaches and, if necessary, use of information notices as part of step one have not worked and failings are not being addressed, then DfT may serve an enforcement notice on an OES.

DfT may serve an enforcement notice on an OES where there are reasonable grounds to believe that the OES has failed to fulfil or comply with a duty or requirement set out under regulation 17(1).

Before serving an enforcement notice, DfT will inform the relevant OES of the alleged failure in a form or manner it considers appropriate. This will involve how and when the OES may make representations about the alleged failure and any related matters.

DfT may also choose to inform the OES of its intention to serve the enforcement notice but is not required to do so.

When an OES provides any representations in response, DfT will consider them before determining any further enforcement action to take.

Where DfT considers it appropriate to serve an enforcement notice, irrespective of sharing an intention to serve this notice, in writing DfT will:

• specify the reasons for the notice and the alleged failure of compliance
• outline the steps that must be taken to rectify the alleged failure
• set out the timeframe for when these rectifying steps must be actioned

DfT will serve the notice within a reasonable timeframe after it has notified the relevant OES of the alleged failure and provide details in respect of making representations.

An OES is legally required to comply with the conditions of the enforcement notice. This requirement applies irrespective of any penalty imposed under regulation 18 being paid.

After issuing an enforcement notice, DfT will monitor how well the relevant OES follows the requirements and any other actions the OES takes to comply with the NIS regulations.

Where an OES demonstrates non-compliance with the requirements of an enforcement notice, DfT will consider whether a penalty should be issued.

No further enforcement action

When DfT is satisfied no further enforcement action is required, DfT will inform the OES of this decision in writing.

The relevant OES may request reasons for any decision by DfT to take no further action within 28 calendar days of being informed. DfT will provide such reasons within a reasonable time and, in any event, no later than 28 calendar days.

Appealing a decision

Under regulation 19A, an OES may appeal to the First-tier Tribunal against a decision made by DfT to issue an enforcement notice. An appeal must be based on one or more of the grounds outlined in regulation 19A(3).

Step 3: penalties

Where DfT has reasonable grounds to believe that an OES has failed to comply with either:

• any duty or requirement set out under regulation 17(1)
• a duty to comply with an enforcement notice (under regulation 17(3A))

And, if DfT considers the facts and circumstances of the case warrant the imposition of a penalty, then DfT may decide to impose a penalty upon the relevant OES.

DfT can decide to impose a penalty as an immediate response to a sufficiently serious instance of non-compliance (provided it is proportionate and reasonable to do so), or as an additional enforcement mechanism where an OES has breached or otherwise not complied with other enforcement measures (such as information notices and/or enforcement notices).

For example, one requirement under regulation 17(1) is to fulfil the security duties under regulation 10(1) and (2).

Where a sufficiently serious incident occurs that reveals a failure on the part of an OES to comply with the duty at regulation 10(2), then this may be a situation where a penalty could be imposed directly because of an incident. This will follow a case-by-case assessment.

A notice of an intention to impose a penalty may be served regardless of whether an information or enforcement notice has already been served or is being served at the same time.

This notice of intention to impose a penalty will be in writing and will specify:

• the reason for the notice
• amount of the penalty
• how and when the notice is due to be paid

Penalty amounts are set out in regulation 18(6).

An OES may make representations about the content of the penalty notice and any related matters specified in the notice.

DfT may, after considering any representations submitted by the OES in response to the notice of intention to impose a penalty, serve a penalty notice on the OES that sets out a final penalty decision if DfT is satisfied that a penalty is warranted having regard to the facts and circumstances of the case.

DfT will determine a penalty sum that:

• is appropriate and proportionate to the failure or instance of non-compliance
• will not exceed the following amounts

£1,000,000 for any contravention DfT determines is not a ‘material contravention’ as defined in the regulations

Examples of contraventions of this penalty category may include but are not limited to:

• a failure to comply with an information notice
• a failure to comply with the requirements of an inspection or a direction given during an inspection where no enforcement notice has been issued

£8,500,000 for a ‘material contravention’ DfT determines does not meet the criteria set out in regulation 18(6)(d), in respect of significant risk or significant impact

Examples of contraventions of this penalty includes but are not limited to:

• a failure to fulfil the OES security duties set out under regulation 10(1)
• a failure to notify DfT of a NIS incident under regulation 11 where no enforcement notice has been issued

£17,000,000 for a material contravention that DfT determines has or could have created a significant risk or impact on or in relation to the OES’ service provision

Examples of contraventions of this penalty may include but are not limited to:

• a significant failure to fulfil the OES security duties set out under regulation 10(1)
• failure to notify DfT of an NIS incident under regulation 11 where no enforcement notice has been issued

DfT will provide an OES with a copy of a final penalty notice, which will include the reasons for the final penalty decision.

Owing to the potential security implications of public disclosure of a penalty, DfT would carefully consider public communication of the penalty. This would be conducted following consultation with the National Cyber Security Centre (NCSC).

It is likely the penalty will be announced publicly after one calendar year from the date of issue of the penalty unless there are exceptional circumstances that will delay the OES’ ability to rectify the issue.

As with enforcement notices, under regulation 19A, OES may appeal to the First-tier Tribunal against a decision made by DfT to serve a penalty notice. An appeal must be based on one or more grounds outlined in regulation 19A(3).