NIS Regulations: Government publishes guidance for competent authorities

With the Directive on security of network and information systems (NIS Directive) to be transposed into national laws across the EU by 9 May 2018, the UK government has published guidance for those tasked with its enforcement.

The UK government has transposed the NIS Directive into national law, and officially titled it The Network and Information Systems Regulations 2018 (NIS Regulations).

The NIS Directive allows each member state to allocate its own competent authorities. The UK has decided that different authorities will oversee each sector, and in some cases countries within the UK will have their own authority. Take the water sector: it will be overseen by the Secretary of State for Environment, Food and Rural Affairs in England; Welsh Ministers in Wales; the Drinking Water Quality Regulator in Scotland and the Department of Finance in Northern Ireland.

Annex I of the guidance contains a full list of sectors and the relevant competent authorities.


Competent authorities have sole responsibility for regulatory decisions and enforcement, which includes:

  • Reviewing the application of the NIS Directive in their sector or region;
  • Preparing and publishing guidance to assist operators of essential services (OES) or digital service providers (DSPs) in meeting the Directive’s requirements;
  • Establishing the identification thresholds for OES in their sector or region;
  • Keeping a list of all designated OES, including an indication of the importance of each operator;
  • Keeping a list of all revocations;
  • Consulting and cooperating with other competent authorities, the computer security incident response team (CSIRT), the single point of contact (SPOC) and the Information Commissioner’s Office (ICO);
  • Assessing whether organisations within their sector or region meet the NIS Directive’s requirements;
  • Determining the thresholds for reportable incidents in their sector or region;
  • Cooperating with other competent authorities to provide consistent advice and oversight to OES or DSPs;
  • Receiving incident reports;
  • Ensuring that there are processes for non-cyber incidents, and issuing guidance to support companies dealing with such incidents;
  • Conducting incident investigations; and
  • Enforcing the Directive, including issuing notices and penalties.

The National Cyber Security Centre (NCSC) provides guidance to competent authorities and carries out the duties of the SPOC and the CSIRT, except in the healthcare sector, in which incidents are handled by NHS Digital.

The Department for Digital, Culture, Media & Sport is charged with overseeing the implementation of the Directive across the UK.

Complying with the NIS Regulations

Organisations within the NIS Regulation’s scope have a similarly long list of responsibilities. For more information on how OES and DSPs should prepare for the NIS Regulations, download our free compliance guide, covering:

  • The six ‘essential’ sectors that must comply;
  • Which DSPs are covered and which are excluded;
  • The functions of the proposed CSIRTs Network;
  • Organisations’ risk management and incident reporting obligations; and
  • How cyber resilience helps organisations meet the Regulation’s requirements.

You might also be interested in our NIS Regulation infographic, which breaks down the key information into bite-sized chunks and is an ideal reference tool >>

Leave a Reply

Your email address will not be published. Required fields are marked *