The NIS Regulations have been in place since 2018 and are as foundational for cyber security practitioners as the Data Protection Act or GDPR – particularly as non-compliance can result in fines of up to £17,000,000. However, we’ve found that the NIS Regulations still cause a lot of confusion.
In this blog is a high level overview of where the NIS Regulations came from, the requirements they introduce, and some of the core concepts and terminology that you need to know.
This is the first part of our CAF Connect series, an ongoing series of content and events where our experts share their knowledge and advice on the framework to help you achieve compliance. See our CAF Connect page to subscribe or for more information.
What are the NIS Regulations?
In 2013, the EU Commission published a cyber security strategy (‘An Open, Safe and Secure Cyberspace’) to respond to the growing security threats presented by cyber crime and other hostile cyber actors. That strategy identified a number of priorities, including new legislation to improve the cyber security and resilience of operators of Critical National Infrastructure (CNI) and key Digital Service Providers. The rationale was simple:
- Critical systems are becoming increasingly interconnected and dependent on information and operational technology.
- Disruption to certain critical systems can cause disproportionate impacts for the public and the economy. In some cases, they can even have major cross-border consequences (just consider the impacts of the loss of a key air traffic management system, or an Internet Exchange Point).
- The pace and scale of cyber threats is growing.
What is the NIS Directive?
This led directly to the introduction of the 2015 Network and Information Services Directive, which placed a number of obligations on EU Member States to improve the security and resilience of these critical services. In particular, Member States had to:
- Identify Operators of Essential Services (OES) – in other words, organisations providing critical social or economic services which could be undermined by an incident affecting their IT or OT systems.
- Ensure that these Operators of Essential Services took ‘appropriate and proportionate technical and organisational measures’ to manage the risks to their IT and OT systems, and issued reports if their systems were affected by incidents.
- Designate ‘Competent Authorities’ responsible for overseeing the actions that Operators of Essential Services were undertaking.
It’s worth reflecting on a few major themes at this point. First, the Directive left a lot of flexibility for Member States to decide who was an operator of an essential service, and why.
Second, the Directive was inherently based on the principles of risk management and proportionality. Rather than introducing specific technical requirements or controls, it left it to Member States and Operators of Essential Services to decide what action was ‘appropriate and proportionate’.
Third, and often overlooked, is that at its heart the directive is focussed on the resilience of network and information systems that underpin our essential services. That means the directive is concerned not only with cyber attacks, but also with physical security, even if the term isn’t specifically used.
What is the Difference between the NIS Directive and the NIS Regulations?
At this point, we come to the NIS Regulations. Before we go any further, a common question is: ‘what is the difference between the NIS Directive and the NIS Regulations?’. This is an entirely fair question.
The NIS Directive originated at the EU level. It forced Member States to introduce their own national legislation to protect critical network and information systems, and gave some high-level steers on what that legislation needed to say (see above).
The NIS Regulations are domestic UK law. They implement the NIS Directive, and in some places go further. Put simply, if you work for an Operator of Essential Services (OES) in the UK, the NIS Regulations are usually what you really need to care about.
Who Must Comply with the NIS Regulations?
The NIS Regulations came into force on 10 May 2018, and include the core concepts we’ve already identified in the NIS Directive.
The regulations apply to:
Operators of Essential Services (OES):
- Energy (electricity, oil and gas)
- Transport (aviation, rail, maritime and road)
- Health (including hospitals, private clinics and online settings)
- Drinking water (supply and distribution)
- Digital infrastructure (TLD name registries, DNS resolver services / authoritative hosting services, Internet Exchange Points)
Relevant Digital Service Providers (RDSPs)
- Providers of online marketplaces
- Providers of online search engines
- Providers of cloud computing services
Whether or not a specific organisation is in scope of the regulations depends on a range of factors which are beyond the scope of this guide.
The NIS Regulations also designate Competent Authorities for each of these sectors – typically either Government / Devolved Ministers, sector regulators, or a mix of both.
Some critical sectors – notably finance and civil nuclear – are exempt from the NIS Regulations on the basis that they are subject to equivalent security and resilience requirements under other legislation.
What Are the NIS Regulation’s Requirements for OES and RDSPs?
The NIS Regulations introduce four obligations which OES and RDSPs must meet:
- Take measures to manage the risks to critical technologies
- Take measures to prevent incidents, and reduce the impact of incidents when they occur
- Pay attention to what Competent Authorities ask of them
- Notify their Competent Authority if they identify incidents which have negative impacts on their ability to deliver their essential services
As we’ve outlined above, NIS Regulations do not prescribe any specific technical controls or mandate compliance with particular standards or frameworks, such as ISO 27001 or the NIST Cyber Security Framework. Instead, they leave wide discretion for Competent Authorities to determine what is reasonable and proportionate.
This means that some Operators of Essential Services may be expected to meet higher requirements – for instance, if they deliver a critical service to a larger number of customers, or provide a service which other Operators of Essential Services are critically dependent upon.
How Can Operators of Essential Services Achieve Compliance with the NIS Regulations?
To support Operators of Essential Services and Competent Authorities in demonstrating their compliance with the NIS Regulations, the National Cyber Security Centre has developed 14 core Security and Resilience Principles, together with a range of supporting material collectively known as the Cyber Assessment Framework (CAF). Most Competent Authorities have adopted the CAF, or variations of it, for sectors regulated under the NIS Regulations.
The CAF is a topic in its own right, and will be covered in a separate post next month.
What are the NIS Incident Reporting Requirements?
Organisations that are subject to the NIS Regulations have clearly defined legal obligations to report incidents. For Operators of Essential Services this requirement extends to any incident that causes a ‘significant impact on the continuity of the essential service which that OES provides’, taking into account the number of customers and geographic area affected, and the duration of the incident.
Relevant Digital Service Providers are required to report any incident having a ‘substantial impact on any of the [relevant] digital services’ they provide, taking into account the number of users and geographical area affected, the extent of the disruption, the impact on social and economic activities, and the duration of the incident.
Precise reporting processes vary by sector and are defined by the individual competent authorities.
What Are the Consequences for Non-compliance With the NIS Regulations?
The NIS Regulations provide Competent Authorities with legal powers to issue information notices and to inspect organisations. If they identify breaches of the Regulations, Competent Authorities can issue enforcement notices requiring specific or general improvements, and are also empowered to issue fines of up to £17,000,000 for egregious breaches.
In some instances, an OES or DSP could face liability under both the NIS Regulations and the GDPR Regulations for the same incident. The government has stated that OES and DSPs should not ordinarily be fined under both Regulations, unless the dual penalties “relate to different aspects of wrongdoing and different impacts”.
What is NIS2?
The NIS2 Directive came into force across the EU in January 2023 which makes a number of changes to the original NIS Directive (NIS1). In particular, NIS2 significantly expands the number and type of organisations in scope. It replaces the distinction between ‘Operators of Essential Services’ and ‘Digital Service Providers’ with two new categories:
- 'Essential Entities’: these are broadly the typical Critical National Infrastructure sectors that were originally defined as Operators of Essential Services in NIS1.
- ‘Important Entities’: other large- and medium-sized organisations which play an important role in the economy. This includes post and courier services, waste management, chemicals and research. Important Entities are subject to lower levels of oversight than Essential Entities.
The NIS2 Directive also introduces direct obligations on the ‘management bodies’ of Essential and Important Entities; includes more explicit compliance requirements; and strengthens reporting obligations compared to the original NIS1 Directive.
EU Member States must ‘transpose’ (i.e. bring their domestic law into alignment with) the NIS2 Directive by 17 October 2024.
Brexit and the NIS Regulations
The NIS Regulations continue to apply after Brexit. However, the UK Government has decided that the NIS2 Directive will not apply in the UK.
“Given that the UK is no longer bound by EU legislation and will not be implementing NIS 2.0 there will be differences between the EU and the UK. The UK’s legislation is designed for the UK economy and to maximise the benefits to the UK.” (Proposal for legislation to improve the UK’s cyber resilience – Government response, 30 November 2022)
The UK Government has instead published its own proposals to enhance the NIS Regulations. These include extending the NIS Regulations to cover Managed Service Providers, reflecting the critical role they can play in overall security and resilience, and expanding the range of incidents which must be notified to Competent Authorities. Although these changes are more modest than those contained in the NIS2 Directive they will require changes to legislation, and it is not currently clear when they will be introduced.