Operators of Essential Services and the NIS Regulations

The NIS (Network and Information Systems) Regulations 2018 apply to two main groups: OES (operators of essential services) and DSPs (digital service providers) in the UK.

OES face stricter security requirements than DSPs because they typically face higher risks and service interruptions would have more severe consequences. OES are more actively monitored and subject to audits by their regulators (known as ‘competent authorities’).

The NIS Regulations apply to OES in the following sectors:

• Energy – electricity, oil and gas.
• Transport – air, rail, water and road.
• Health – healthcare settings (including hospitals, private clinics and online settings).
• Water – drinking water supply and distribution.
• Digital infrastructure – TLD (top-level domain) name registries, DNS (domain name systems) service providers and IXP (Internet exchange point) operators.

The Regulations set out a comprehensive set of criteria to help organisations within these sectors identify whether they are likely to be classified as an OES. Those still unsure should consult the relevant competent authority.

OES are required to register with their competent authority within three months of meeting the definition.

Under the NIS Regulations, competent authorities have been assigned on a sectoral basis.

These oversee how organisations comply with the Regulations and should be able to both assess how organisations apply and enforce the 14 principles listed below.

The NIS Regulations set out strict compliance obligations for OES to ensure they take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations.

The NCSC (National Cyber Security Centre) has published guidance that describes 4 objectives, covering 14 high-level principles, that OES should meet to comply:

Objective A – Managing security risk

• A.1 Governance
• A.2 Risk management
• A.3 Asset management
• A.4 Supply chain

Objective B – Protecting against cyber attack

• B.1 Service protection policies and procedures
• B.2 Identity and access control
• B.3 Data security
• B.4 System security
• B.5 Resilient networks and systems
• B.6 Staff awareness and training

Objective C – Detecting cyber security events

• C.1 Security monitoring
• C.2 Anomaly detection

Objective D – Minimising the impact of cyber security incidents

• D.1 Response and recovery planning
• D.2 Improvements

Comparable to the GDPR (General Data Protection Regulation)’s reporting requirements, OES must notify their competent authority of NIS incidents with a “significant” impact on the continuity of the service they provide “without undue delay” and, where feasible, within 72 hours of becoming aware of them

They must consider three factors when determining whether an incident is “significant”:

1. The number of users affected by the disruption.
2. The duration of the disruption; and
3. The size of the geographical area affected by the incident.

OES that fall within the scope of the NIS Regulations are subject to audits by their competent authority.

The CAF was developed by the NCSC as a framework for competent authorities to determine if OES have applied appropriate measures to protect the security of their network and information systems and can help them audit compliance. The CAF can also be used by OES for self-assessment purposes.

The CAF breaks each principle down into specific outcomes, which are then further broken down into ‘indicators of good practice’, which an auditor will use to determine if the organisation has correctly applied the principles.

Find out more information about the CAF

The NIS Regulations set four levels of fines for non-compliance:

1. Up to £1 million for any contravention that could not cause a NIS incident.
2. Up to £3.4 million for a material contravention that has caused, or could cause, an incident resulting in a reduction of service for a significant period of time.
3. Up to £8.5 million for a material contravention that has caused, or could cause, an incident resulting in a disruption of service for a significant period of time.
4. Up to £17 million for a material contravention that has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.

The level of fine issued will be assessed by the competent authority, which will take account of the OES’s level of compliance and the severity of the incident.

A cyber resilience programme that includes information security management, incident response, and business continuity management can help an organisation avoid or minimise the impact of disruptive incidents.

Implementing a cyber resilience programme aligned with international standards is a comprehensive way for OES to comply with the NIS Regulations requirements.

The NCSC also recommends that OES take note of best-practice frameworks, including international standards, to meet the 14 principles.

Although the Regulations don’t specify that OES must implement business continuity measures, we strongly recommend you do so. In addition to protecting your organisation from harm, this could provide you with a competitive advantage and help you comply with other legislation.

To ensure that your cyber resilience programme is robust and in line with international best practice, we recommend using the following standards:

ISO 27001

ISO 22301

• We can deliver everything you need for compliance, including consultancy, training, and tools.
• Our expertise in international management system standards and solid track record means we can deliver a complete solution for NIS Regulations compliance and manage the project from start to finish.
• We work with organisations in all industries and have managed hundreds of projects around the world.
• We can help you secure your networks and systems through rigorous penetration testing, compliance implementation projects, and executive expertise.
• We deliver practical advice and work according to your budget and business needs. No organisation or project is ever too big or small.
• We offer clear and transparent pricing.