If your organisation is an OES (operator of essential services) and within the scope of the NIS Regulations (The Network and Information Systems Regulations 2018), you must register with your relevant competent authority by 20 August 2018.
The NIS Regulations became UK law on 10 May 2018. It transposes the NIS Directive (Directive on security of network and information systems) into national law and applies to certain organisations that offer services to EU organisations and residents and that are headquartered in the UK or have nominated a UK-based representative.
Strict requirements for OES
OES are considered much more vulnerable to disruptions and cyber attacks than the other type of organisation the NIS Regulations apply to, DSPs (digital service providers), and therefore face much stricter requirements.
DSPs have until 1 November 2018 to register with their competent authority, the ICO (Information Commissioner’s Office), and won’t be monitored nearly as closely as OES.
But for either type of organisation, failure to register will almost certainly be treated as a flagrant violation of the NIS Regulations, and could lead to severe disciplinary action. Regulators have the power to issue fines of up to £17 million.
You can check out this guide to see whether your organisation is considered either an OES or DSP.
Get the right competent authority
OES have different competent authorities based on sector and location. For example, drinking water suppliers and distributors will be overseen by the Secretary of State for Environment, Food and Rural Affairs in England; Welsh Ministers in Wales; the Drinking Water Quality Regulator in Scotland and the Department of Finance in Northern Ireland.
Annex I of the government’s guidance for competent authorities (beginning on page 25) includes a list of sectors and the relevant regulators.
NIS Regulations gap analysis
With the NIS Regulations now being UK law, it’s critical that organisations start assessing their compliance needs. Implementing the NIS Regulations’ requirements will be a long, hard process, so it’s important to be as prepared as possible. Our NIS Regulations Gap Analysis gives you all the information you need at the outset, streamlining the compliance process.
A specialist cyber security consultant will work with you to:
- Interview key individuals in your organisation;
- Assess your current cyber security arrangements; and
- Review your existing policies and procedures for relevancy, effectiveness and efficiency to determine any potential problems that may indicate non-compliance with the NIS Regulations.
You will then receive a detailed gap analysis report that collates the findings of this assessment.
Accelerate your NIS Regulations compliance project with the new NIS Regulations Documentation Toolkit, designed specifically for OES and DSPs.