The NIS (Network and Information Systems) Regulations 2018 apply to two main groups: OES and DSPs (digital service providers) in the UK.
OES have stricter security requirements than DSPs because of the higher risks they typically face and the fact that service interruptions would have more severe consequences. As such, OES are more actively monitored and subject to audits by their regulators (known as ‘competent authorities’).
What is an operator of essential services?
The NIS Regulations apply to OES in the following sectors:
- Energy – electricity, oil and gas.
- Transport – air, rail, water and road.
- Health – healthcare settings (including hospitals, private clinics and online settings).
- Water – drinking water supply and distribution.
- Digital infrastructure – TLD (top-level domain) name registries, DNS (domain name systems) service providers and IXP (Internet exchange point) operators.
The Regulations set out a comprehensive set of criteria to help organisations within these sectors identify whether they are likely to be classified as an OES. Those still unsure should consult the relevant competent authority.
OES are required to register with their competent authority within three months of meeting the definition.
Under the NIS Regulations, competent authorities have been assigned on a sectoral basis.
These oversee how organisations comply with the Regulations, and should be able to both assess how organisations apply and enforce the 14 principles listed below.
To learn more about competent authorities and other relevant authorities, download our free NIS Regulations compliance guide for OES >>
Compliance requirements for OES
The NIS Regulations set out strict compliance obligations for OES to ensure they “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”.
The NCSC (National Cyber Security Centre) has published guidance that describes 4 objectives, covering 14 high-level principles, that OES should meet in order to comply:
Managing security risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Protecting against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Incident reporting for OES
Comparable to the GDPR (General Data Protection Regulation)’s reporting requirements, OES must notify their competent authority of NIS incidents with a “significant” impact on the continuity of the service they provide “without undue delay” and, where feasible, within 72 hours of becoming aware of them
They must consider three factors when determining whether an incident is “significant”:
- The number of users affected by the disruption;
- The duration of the disruption; and
- The size of the geographical area affected by the incident.
The CAF (Cyber Assessment Framework)
OES that fall within the scope of the NIS Regulations are subject to audits by their competent authority.
The CAF was developed by the NCSC as a framework for competent authorities to determine if OES have applied appropriate measures to protect the security of their network and information systems, and can help them audit compliance. The CAF can also be used by OES for self-assessment purposes.
The CAF breaks each principle down into specific outcomes, which are then further broken down into ‘indicators of good practice’, which an auditor will use to determine if the organisation has correctly applied the principles.
Find out more information about the CAF >>
Consequences of non-compliance with the NIS Regulations
The NIS Regulations set four levels of fines for non-compliance:
- Up to £1 million for any contravention that could not cause a NIS incident.
- Up to £3.4 million for a material contravention that has caused, or could cause, an incident resulting in a reduction of service for a significant period of time.
- Up to £8.5 million for a material contravention that has caused, or could cause, an incident resulting in a disruption of service for a significant period of time.
- Up to £17 million for a material contravention that has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.
The level of fine issued will be assessed by the competent authority, which will take account of the OES’s level of compliance and the severity of the incident.
Download our free infographic to find out more about OES compliance requirements >>
Complying with the NIS Regulations: cyber resilience
A cyber resilience programme combining information security management, incident response and business continuity management can help an organisation identify, and avoid being significantly affected by, disruptive incidents.
Implementing a cyber resilience programme aligned with international standards is a comprehensive way for OES to comply with the NIS Regulations requirements.
The NCSC also recommends that OES take note of best-practice frameworks, including international standards, to meet the 14 principles.
Although the Regulations don’t specify that OES must implement business continuity measures, we strongly recommend you do so. In addition to protecting your organisation from harm, this could provide you with a competitive advantage and help you comply with other legislation.
To ensure that your cyber resilience programme is robust and in line with international best practice, we recommend using the following standards:
- ISO 27001– information security management
- ISO 27035 – information security incident response
- ISO 22301 – business continuity management