- Latest available (Revised)
- Original (As made)
There are currently no known outstanding effects for the The Network and Information Systems Regulations 2018.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
(This note is not part of the Regulations)
These Regulations implement Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ No L194, 19.7.2016, p1).
Part 2 of these Regulations provides a national framework for the security of network and information systems in the United Kingdom (“UK”). Under regulation 2, a Minister of the Crown must designate and publish a “national strategy” covering the sectors specified in column 1 of the table in Schedule 1 (“the relevant sectors”) and digital services.
Regulation 3(1) designates national competent authorities, specified in column 3 of the table in Schedule 1, for the subsectors specified in column 2 of that table. Regulation 3(2) designates the Information Commissioner as the national competent authority for relevant digital service providers (“RDSPs”). The national competent authorities designated under regulation 3(1) and (2) (referred to as “NIS enforcement authorities”) are required to carry out the duties mentioned in regulation 3(3), (4) and (6).
Regulation 4 designates the ‘single point of contact’ (“SPOC”) for the UK and regulation 5 designates the UK's computer security incident response team for the relevant sectors and RDSPs.
Part 3 of these Regulations makes provision regarding the designation of operators of essential services and the duties which apply to them.
Under regulation 8, a person is identified as an operator of an essential service (an “OES”) by virtue of either falling within regulation 8(1) or (3). A person is deemed to be an OES under regulation 8(1) if they provide an essential service of kind specified in paragraphs 1 to 9 of Schedule 2 which also satisfies the threshold requirements specified for that kind of essential service. A person may be designated by a competent authority as an OES if they meet the conditions mentioned in regulation 8(3)(a) to (c). The deemed designation of an OES under regulation 8(1), or designation of an OES under regulation 8(3), may be revoked by a competent authority under regulation 9. An OES must fulfil the security duties set out in regulation 10 and the duty to notify incidents set out in regulation 11.
Part 4 of these Regulations makes provision regarding the duties which apply to RDSPs and the Information Commissioner. This includes a duty on all RDSPs to register with the Information Commissioner.
Part 5 of these Regulations makes provision for powers of enforcement and penalties which apply to contraventions of the duties set out in these Regulations. Regulation 15 enables a competent authority to serve an information notice on an OES or any person to obtain information that it reasonably requires for specified purposes. Regulation 19 makes provision for the independent review of a decision to designate an OES or a decision to serve a penalty notice.
Part 6 of these Regulations makes provision about miscellaneous matters such as fees, proceeds of penalties, general considerations that apply to enforcement actions and service of documents.
Regulation 25 sets out a process for the Secretary of State to review the regulatory provision contained within these Regulations and publish a report setting out the conclusions of that review. The first such report must be published on or before 9th May 2020 and subsequent reviews must be carried out biennially after that date.
An impact assessment has been produced by the Department for Digital, Culture, Media and Sport and is published alongside the instrument at www.legislation.gov.uk.
An Explanatory Memorandum and a Transposition Note are published alongside the instrument at www.legislation.gov.uk.
The Directive referred to above is published at http://eur-lex.europa.eu.
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: