The Directive on security of network and information systems (NIS Directive) was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.
The NIS Regulations adopt a multiple competent authority approach and outline how different authorities oversee different sectors, e.g. electricity, transport, water, health, etc.
There are also differences between England, Scotland, Wales and Northern Ireland. For example, the water sector will be overseen by the Secretary of State for Environment, Food and Rural Affairs in England; the Welsh Ministers in Wales; the Drinking Water Quality Regulator in Scotland; and the Department of Finance in Northern Ireland.
Note: Annex I of the guidance contains a full list of sectors and the relevant competent authorities.
The government has published guidance for competent authorities to help them provide oversight of and enforce the Regulations.
Competent authorities’ responsibilities
Competent authorities have the sole responsibility for regulatory decisions and enforcement, including:
- Reviewing the application of the NIS Regulations in their sector or region;
- Preparing and publishing guidance to assist operators of essential services (OES) and digital service providers (DSPs) in meeting the NIS Regulations requirements;
- Establishing the identification thresholds for OES in their sector or region;
- Keeping a list of all designated OES, including an indication of the importance of each operator;
- Keeping a list of revocations;
- Consulting and cooperating with other competent authorities, the computer security incident response team (CSIRT), the single point of contact (SPOC) and the Information Commissioner’s Office (ICO);
- Assessing whether organisations within their sector or region meet the NIS Regulations requirements;
- Determining the thresholds for reportable incidents in their sector or region;
- Cooperating with other competent authorities to provide consistent advice and oversight to OES and DSPs;
- Receiving incident reports;
- Ensuring that there are processes for non-cyber incidents, and issuing guidance to support companies dealing with such incidents;
- Conducting incident investigations; and
- Enforcing the Regulations, including issuing notices and penalties.
The National Cyber Security Centre (NCSC) provides guidance to competent authorities and carries out the duties of the SPOC and the CSIRT, except in the healthcare sector, in which incidents are handled by NHS Digital.
The Department for Digital, Culture, Media & Sport is charged with overseeing the implementation of the Directive.
The Cyber Assessment Framework (CAF)
The NCSC has published 14 high-level principles for how OES need to meet the requirements of the NIS Regulations. The CAF breaks down each of the 14 principles into specific outcomes, which are then further broken down into indicators of good practice (IGPs).
Competent authorities use the CAF during NIS Regulations audits to determine if the organisation has correctly applied the principles.
Get started with the NIS Regulations
Take your first steps towards compliance with an NIS Regulations Gap Analysis from IT Governance.
Conducted by a specialist consultant, this service will provide you with a detailed assessment of your compliance needs and give you a clear starting point for your NIS Regulations compliance project.