The day has come: the Directive on network and information security systems (NIS Directive) has been transposed into UK law as the NIS Regulations 2018. But the transposition hasn’t only brought a name change. The government has begun ramping up its preparation and research, releasing a report on the potential scope of the NIS Regulations, and by 9 November it will announce which operators of essential services (OES) the law applies to.
The report estimates that at least 432 organisations across the water, digital infrastructure, energy, health and transport sectors and digital service providers will be affected by the NIS Regulations. The total cost of implementation and compliance maintenance in the first year will be approximately £32.5 million for businesses and £23.5 million for the government – bringing the total expense to £56 million.
The government predicts that spending for business will drop to £21 million annually in the following years. It didn’t estimate future government spending.
The report breaks down spending into four categories:
- Additional cyber security spending
Compliance costs for organisations
Almost all of the government’s £23.5 million budget is allocated to additional cyber security spending, with £177,000 on familiarisation, £147,000 on compliance and £38,000 on reporting.
Spending in the private sector will vary depending on the size of the organisation. The report suggests that large essential services will spend about £278,000 preparing for the NIS Regulations, medium-sized organisations £12,500 and small organisations £1,320.
The report highlights two sectors that many people have expressed concern about: health and energy. Although all OES are, by definition, essential, the consensus is that disruption to either of these sectors would be most costly.
A power outage would affect every other essential service, causing massive delays to business and impacting people’s quality of life. Meanwhile, the public saw a glimpse of the damage to the health sector with last year’s WannaCry attack. It also saw how unprepared and unfunded the sector was.
As such, the government’s report predicts that the energy and health sectors might face limited additional costs.
Comply with the NIS Regulations
As the government’s report makes clear, compliance with the NIS Regulations won’t be simple. It will take a lot of time, money and, most importantly, technical know-how. If you fall within the law’s scope, or think you might, it’s worth doing some research into the NIS Regulations and their requirements.
You can get started by reading our free compliance guide, which covers:
- The six ‘essential’ sectors that must comply;
- Which digital service providers (DSPs) are covered;
- The functions of the proposed CSIRTs network;
- Organisations’ risk management and incident reporting obligations; and
- How cyber resilience helps organisations meet the NIS Regulations’ requirements.
You might also be interested in our NIS Regulations infographic, which breaks down the key information into bite-sized chunks and is an ideal reference tool.