The Network and Information Systems (NIS) Regulations 2018 is a U.K. legislation that came into effect on May 10, 2018. The Regulations aim to establish a high common level of network and information system security across the U.K. The NIS rules bring a new approach to the way organizations manage cyber risk, focusing on systems that are critical to the provision of essential services and digital services.
The NIS Regulations are implemented and enforced by competent authorities, which are specific regulatory bodies associated with each sector. These authorities are tasked with assessing the security measures of their respective sectors and driving improvements where necessary.
What Are the NIS Regulations 2018?
The NIS Regulations 2018 derived from the European Union’s Directive on security of network and information systems, commonly referred to as the NIS Directive. The U.K., a member of the EU at the time, was obliged to integrate the Directive into its national law and the NIS Regulations 2018 were subsequently enacted. The NIS 2 Directive was enacted in 2020.
Although the U.K. has left the EU, the NIS Regulations continue to apply, reflecting the ongoing commitment to a high level of cybersecurity within the U.K.
The Structure of the NIS Regulations
The NIS Regulations consist of 35 regulations subdivided into six parts:
- Operators of Essential Services
- Digital Service Providers
- Competent Authorities and Single Point of Contact
- Final Provisions
Each part covers a specific area of the NIS Regulations, providing details about the requirements, roles and responsibilities, enforcement, and penalties for noncompliance.
The NIS Regulations also include multiple schedules that further elaborate on aspects such as criteria for identifying Operators of Essential Services, enforcement notices, appeal procedures, and more.
NIS Regulations 2018 vs. the European Union’s NIS Directive: Similarities and Differences
The NIS Regulations and the EU’s NIS Directive share the same objectives and principles, focused on improving cybersecurity across essential services and digital service providers. However, there are differences in terms of their application and enforcement, primarily due to the U.K.’s specific national considerations and risk profile.
Additionally, while the NIS Directive requires member states to designate a single competent authority to monitor the application of the Directive, the U.K., under its NIS Regulations, has multiple competent authorities, each responsible for a specific sector.
The Purpose of the NIS Regulations
The primary objective of the NIS Regulations is to achieve a high level of security of network and information systems within the U.K. This is critical as the reliance on information systems and digital services has increased significantly, making them prime targets for cyber threats. The implementation of stringent security measures can therefore significantly reduce the risks associated with these threats.
The NIS Regulations also aim to establish a framework to promote cooperation and information sharing between member states in the event of a cyber incident. This cross-border collaboration is essential to ensure a robust and effective response to significant cyber threats and attacks.
What Is the Scope of the NIS Regulations?
The NIS Regulations apply to two main types of entities:
- Operators of Essential Services (OES)
- Digital Service Providers (DSPs)
The Regulations acknowledge that the specifics of what constitutes an OES or DSP may vary across sectors. Therefore, the competent authority identifies the entities within their sector that meet the criteria set out in the regulations.
Operators of Essential Services (OES) are organizations that provide services that are essential for the maintenance of critical societal or economic activities. These services must meet the criteria of provision that is reliant on network and information systems, an impact resulting in significant disruptive effects on its provision, and an instance where the entity is established in the U.K. Examples of OES include entities in sectors such as energy, transport, health, drinking water supply and distribution, and digital infrastructure.
Digital Service Providers (DSPs) are entities providing digital services of a specific type, namely online marketplaces, search engines, and cloud computing services. DSPs are required to ensure a high level of security and to notify competent authorities about any significant incidents. The Regulations also grant competent authorities powers to obtain information and issue instructions to DSPs to ensure their compliance.
Identification of Operators of Essential Services
The NIS Regulations require competent authorities to identify the operators of essential services within their sector, based on a set of criteria. These criteria consider aspects such as the type of service, the potential impact of an incident, and the number of users affected.
The identification of these operators is kept under review to ensure that it continues to reflect the risks associated with each sector.
NIS Regulations’ Jurisdiction
The NIS Regulations apply to OES and DSPs that have their head office in the U.K. or designate a representative in the U.K. if their head office is outside the U.K. However, the global nature of digital services and the potentially wide-reaching impact of cyber incidents means that the Regulations have an inherent international dimension.
In this regard, the NIS Regulations provide a framework for the cross-border coordination of responses to significant cyber incidents, promotion of cooperation, and sharing of information among member states.
Key Provisions in the NIS Regulations 2018
The NIS Regulations 2018 aim to improve national cybersecurity capabilities, increase cooperation between EU member states, and secure network and information systems across the U.K. The key provisions of the regulations include:
Operational and Technical Measures
The NIS Regulations require both OES and DSPs to implement appropriate and proportionate operational and technical measures to manage the risks to their network and information systems. These measures should ensure the security, integrity, continuity, and availability of their services.
Guidance on the details of these measures is provided by the competent authorities to suit the specific nature and risks associated with each sector, including measures such as security policies, protection against unauthorized access, incident handling procedures, and business continuity plans.
Security Breach Notification Requirement
Under the NIS Regulations, OES and DSPs have a duty to report any incident having a significant impact on the continuity of the essential service they provide. Incidents are required to be reported to the relevant competent authority without undue delay and not later than 72 hours after becoming aware of the incident.
Notification should include a description of the incident, its impact, and remedial actions taken or planned to be taken. The objective is to allow the competent authorities to assess the cross-border impact and coordinate an effective response.
Incident Reporting Mechanisms
The NIS Regulations mandate the creation of effective incident reporting mechanisms by the competent authorities. These mechanisms should enable OES and DSPs to comply with their incident reporting obligations and facilitate the sharing of information about threats and incidents.
These mechanisms also serve as a tool for raising awareness on cybersecurity risks and promote a culture of security and resilience among OES and DSPs.
Risk Management Obligations
The NIS Regulations impose an obligation on OES and DSPs to adopt risk management practices. These practices should allow for the identification, assessment, and handling of risks to the network and information systems they use in their operations.
Such practices include comprehensive risk assessments, the implementation of appropriate measures to mitigate identified risks, and regular testing and evaluation of the effectiveness of these measures.
Penalties for Noncompliance
Failure to comply with the NIS Regulations can result in significant penalties. The competent authorities have the power to issue enforcement and penalty notices, with fines up to £17 million for incidents resulting in an immediate threat to life or significant adverse impact on the U.K. economy.
The size of the fine is determined by the nature, gravity, and duration of the noncompliance, considering factors such as the damage caused, the impact on individuals and the wider society, and any previous breaches.
The Role of Competent Authorities Under NIS Regulations
Under the NIS Regulations, a competent authority is tasked with the responsibility of ensuring and monitoring the execution of the NIS Directive within a specified sector or sub-sector.
Designation and Responsibilities of Competent Authorities
Each sector under the scope of the NIS Regulations has a designated competent authority responsible for the implementation and enforcement of the regulations within that sector.
The responsibilities of competent authorities include ensuring that OES and DSPs are implementing appropriate and proportionate security measures, assessing the effectiveness of these measures, and enforcing compliance where necessary.
Powers of Competent Authorities Under NIS Regulations
The competent authorities have a range of powers under the NIS Regulations to ensure compliance. These include the power to issue instructions to OES and DSPs to remedy any deficiencies, to require information or carry out inspections, and to impose penalties for noncompliance.
The exercise of these powers is subject to procedural safeguards, ensuring a balanced approach between the need to secure network and information systems and protecting the rights of the regulated entities.
Interactions Between Competent Authorities and Regulated Entities
The NIS Regulations aim to create a collaborative approach to cybersecurity between the competent authorities and the regulated entities. The competent authorities provide guidance and support to help OES and DSPs understand their obligations and implement appropriate measures.
There is also a requirement for regular dialogue, encouraging an open exchange of information about threats, incidents, and best practices.
NIS Regulations’ Compliance Requirements
The following are some of the key compliance requirements of the NIS Regulations:
Compliance Audits Under the NIS Regulations
The NIS Regulations empower the competent authorities to carry out audits to assess compliance. These may include evaluations of an entity’s security practices, risk management processes, incident response capabilities, and other aspects of their network and information system security. The findings of these audits may result in recommendations for improvements, or in cases of serious deficiencies, enforcement actions.
Compliance for Operators of Essential Services
Operators of Essential Services have to comply with a range of obligations under the NIS Regulations. These include the implementation of appropriate and proportionate security measures, compliance with incident reporting requirements, cooperation with the competent authority, and where necessary, conducting audits and inspections. Guidance and support is available from the competent authorities to help OES understand and meet their obligations.
Compliance for Digital Service Providers
Digital Service Providers are also subject to compliance requirements under the NIS Regulations. While they are given more flexibility in the choice of security measures, they must ensure a high level of security of their network and information systems. This includes complying with the incident reporting requirements and cooperating with the competent authority. As with OES, competent authorities provide guidance and support to help DSPs in achieving compliance.
Best Practices for Ensuring Compliance
Ensuring compliance with the NIS Regulations involves developing a comprehensive understanding of the obligations, establishing effective security and risk management measures, fostering a culture of cybersecurity within the organization, and maintaining regular dialogue with the competent authority.
Adopting best practices, such as aligning with international standards, regular testing and updating of measures, and sharing of information with other entities can also contribute significantly to achieving compliance.
Kiteworks Helps Organizations Comply With the NIS Regulations 2018
The NIS Regulations 2018 apply to all industries and require organizations to take appropriate and proportionate measures to manage the risks that jeopardize their network and information systems.
The Kiteworks Private Content Network (PCN) provides a secure platform for the transmission and storage of sensitive content, ensuring that organizations can maintain the integrity and confidentiality of their information systems in adherence to the NIS Regulations.
Kiteworks consolidates third-party communication channels including email, file sharing, managed file transfer (MFT), web forms, and SFTP, and runs them through a hardened virtual appliance that shrinks the attack surface of these otherwise vulnerable applications. Kiteworks protects the sensitive content that’s shared over these channels with a variety of security features including secure deployment options, granular access controls, automated end-to-end encryption, multi-factor authentication, visibility into all file activity, and comprehensive audit logs.
These and other features enable organizations to control, protect, and track sensitive content entering and leaving the organization in compliance with numerous state, national, regional, and industry data privacy regulations like the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), European Union-U.S. Data Privacy Framework, Cyber Essentials Plus, NIS 2 Directive, and many, many more.
Schedule a custom demo of the Kiteworks Private Content Network today to learn how it protects NIS data.
Get email updates with our latest blogs news