The Network and Information Systems Regulations 2018

These Regulations implement Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ No L194, 19.7.2016, p1).

Part 2 of these Regulations provides a national framework for the security of network and information systems in the United Kingdom (“UK”). Under regulation 2, a Minister of the Crown must designate and publish a “national strategy” covering the sectors specified in column 1 of the table in Schedule 1 (“the relevant sectors”) and digital services.

Regulation 3(1) designates national competent authorities, specified in column 3 of the table in Schedule 1, for the subsectors specified in column 2 of that table. Regulation 3(2) designates the Information Commissioner as the national competent authority for relevant digital service providers (“RDSPs”). The national competent authorities designated under regulation 3(1) and (2) (referred to as “NIS enforcement authorities”) are required to carry out the duties mentioned in regulation 3(3), (4) and (6).

Regulation 4 designates the ‘single point of contact’ (“SPOC”) for the UK and regulation 5 designates the UK's computer security incident response team for the relevant sectors and RDSPs.

Part 3 of these Regulations makes provision regarding the designation of operators of essential services and the duties which apply to them.

Under regulation 8, a person is identified as an operator of an essential service (an “OES”) by virtue of either falling within regulation 8(1) or (3). A person is deemed to be an OES under regulation 8(1) if they provide an essential service of kind specified in paragraphs 1 to 9 of Schedule 2 which also satisfies the threshold requirements specified for that kind of essential service. A person may be designated by a competent authority as an OES if they meet the conditions mentioned in regulation 8(3)(a) to (c). The deemed designation of an OES under regulation 8(1), or designation of an OES under regulation 8(3), may be revoked by a competent authority under regulation 9. An OES must fulfil the security duties set out in regulation 10 and the duty to notify incidents set out in regulation 11.

Part 4 of these Regulations makes provision regarding the duties which apply to RDSPs and the Information Commissioner. This includes a duty on all RDSPs to register with the Information Commissioner.

Part 5 of these Regulations makes provision for powers of enforcement and penalties which apply to contraventions of the duties set out in these Regulations. Regulation 15 enables a competent authority to serve an information notice on an OES or any person to obtain information that it reasonably requires for specified purposes. Regulation 19 makes provision for the independent review of a decision to designate an OES or a decision to serve a penalty notice.

Part 6 of these Regulations makes provision about miscellaneous matters such as fees, proceeds of penalties, general considerations that apply to enforcement actions and service of documents.

Regulation 25 sets out a process for the Secretary of State to review the regulatory provision contained within these Regulations and publish a report setting out the conclusions of that review. The first such report must be published on or before 9th May 2020 and subsequent reviews must be carried out biennially after that date.

An impact assessment has been produced by the Department for Digital, Culture, Media and Sport and is published alongside the instrument at www.legislation.gov.uk.

An Explanatory Memorandum and a Transposition Note are published alongside the instrument at www.legislation.gov.uk.

The Directive referred to above is published at http://eur-lex.europa.eu.