The UK’s Network and Information Systems Regulations 2018 (NIS Regulations) are derived from the EU Directive on security of network and information systems (NIS Directive), and took effect on 10 May 2018.
The NIS Regulations require operators of essential services (OES) and digital service providers (DSPs) to implement “appropriate and proportionate technical and organisational measures” to manage the risks posed to their business operations.
Why must OES comply with the NIS Regulations?
The NIS Regulations are targeted at organisations that are critical to the survival of the economy and society, such as those in healthcare, transport, water and energy. As the systems that control these services are increasingly controlled by computers – which can be hacked – they’re also becoming more vulnerable to disruptive incidents. If these systems were to come to a halt, it would have devastating effects on the economy and/or society.
The NIS Regulations require OES to implement the necessary network and information security protection mechanisms to mitigate risks, thereby protecting the continuance of critical services.
Failure to comply with these requirements could result in a fine of up to £17 million.
What is an OES under the NIS Directive?
The NIS Directive defines an OES as an organisation that “provides a service which is essential for the maintenance of critical societal and/or economic activities”.
The NIS Regulations class organisations that operate within the following sectors as OES:
- Digital infrastructure
The NIS Regulations set out a comprehensive table of criteria to help organisations identify whether they are likely to be classified as an OES within these sectors.
What are the compliance requirements for OES?
The National Cyber Security Centre (NCSC) developed 14 high-level principles that OES are expected to comply with in order to meet the NIS Regulations’ requirements.
From these 14 principles, the NCSC has developed a cyber assessment framework (CAF) that breaks the principles down into specific outcomes. These are then broken down further into indicators of good practice (IGP).
The CAF is a tool that competent authorities will use during audits to determine an organisation’s compliance levels to the requirements of the NIS Regulations. The CAF can also be used by organisations to self-assess their current cyber security posture.
Get started with the NIS Regulations
Take your first steps towards compliance with an NIS Regulations Gap Analysis from IT Governance.
Conducted by a specialised consultant, this service will provide you with a detailed assessment of your compliance needs and give you a clear starting point for your NIS Regulations compliance project.