The Network and Information Systems (NIS) Regulations 2018 impose cyber security and incident reporting obligations on operators of essential services (OES) and relevant digital service providers (RDSP). These regulations aim to protect the UK's critical national infrastructure from cyber threats.

If you operate in energy, transport, water, health, or digital infrastructure sectors, you may be designated as an OES with specific compliance obligations. This guide explains how to determine if you are in scope, what compliance requires, and how to meet your incident notification duties.

Who the NIS Regulations apply to

The regulations create two categories of regulated entities with different obligations:

Operators of essential services (OES) - Organisations designated by a competent authority as providing essential services that depend on network and information systems
Relevant digital service providers (RDSP) - Online marketplaces, online search engines, and cloud computing services above certain thresholds

OES are subject to more stringent requirements and oversight than RDSP. Your sector competent authority will notify you if you are designated as an OES.

NIS Regulations applicability thresholds

Who must comply with NIS Regulations 2018 - operators of essential services (OES) and relevant digital service providers (RDSP).

The Network and Information Systems (NIS) Regulations 2018 apply to operators of essential services (OES) and relevant digital service providers (RDSP).

Small business exemption: Organisations with fewer than 50 employees AND turnover/balance sheet below €10 million are exempt from RDSP obligations
OES sectors: Energy, transport, water, health, digital infrastructure
RDSP services: Online marketplaces, online search engines, cloud computing
Group assessment: If part of larger group, assess group numbers not subsidiary alone
Incident notification: Within 72 hours of discovery
Regulator: Sector-specific Competent Authorities (e.g., Ofgem for energy, ICO for digital services)
NCSC role: UK's single point of contact (SPOC) and computer security incident response team (CSIRT)

Security framework: NCSC Cyber Assessment Framework (CAF) - 14 core principles
OES obligations: Manage risks, prevent incidents, notify Competent Authority of incidents
RDSP obligations: Appropriate security measures, incident notification, comply with CA requests
Penalty maximum: £17 million for most serious breaches

NIS Regulations guidance

Competent authorities and the CAF

Each sector has a designated competent authority responsible for identifying OES, setting sector-specific guidance, and enforcing compliance:

Energy sector (electricity, oil, gas): Ofgem
Transport sector (air, rail, maritime, road): Department for Transport
Health sector (NHS trusts, ICBs, independent providers): Department of Health and Social Care
Drinking water supply and distribution: Defra (Environment Agency in practice)
Digital infrastructure (DNS, IXPs, TLD registries): Ofcom
Digital services (cloud, marketplace, search): Information Commissioner's Office (ICO)

NCSC role: The National Cyber Security Centre (NCSC) is the UK's single point of contact for NIS matters and the Computer Security Incident Response Team (CSIRT), providing technical guidance and incident response support across all sectors.

The NCSC Cyber Assessment Framework (CAF)

Competent authorities use the NCSC CAF to assess OES compliance across 14 core principles:

Objective A: Managing security risk: Governance, risk management, asset management, supply chain
Objective B: Protecting against cyber attack: Service protection policies, identity and access control, data security, system security, resilient networks and systems, staff awareness
Objective C: Detecting cyber security events: Security monitoring, anomaly detection
Objective D: Minimising impact of incidents: Response and recovery planning, lessons learned
Assessment approach: Competent authorities assess against CAF principles using Indicators of Good Practice (IGPs)
Outcome focus: CAF assesses whether outcomes are achieved, not prescriptive controls

What CAF assessment involves:

Your competent authority may conduct assessments directly or require self-assessment against CAF principles
Assessment considers your specific context, threat environment, and the criticality of your services
You must demonstrate appropriate and proportionate security measures for your risk profile
CAF uses a maturity model approach - the expected level depends on your sector and service criticality

Preparing for CAF assessment:

Review the NCSC CAF guidance and understand the 14 principles
Conduct a gap analysis against each principle's Indicators of Good Practice
Document your security measures and evidence of their effectiveness
Identify and address gaps before formal assessment
Engage with your competent authority early to understand sector-specific expectations

Incident notification requirements

OES and RDSP must notify their competent authority of significant incidents affecting service continuity or security. This is separate from (and additional to) GDPR data breach notification.

NIS Regulations incident notification requirements

Incident notification requirements under NIS Regulations 2018, including 72-hour timeline, notification paths by sector, and relationship with GDPR breach notification.

Under the Network and Information Systems (NIS) Regulations 2018, operators of essential services (OES) and relevant digital service providers (RDSP) must notify their competent authority of incidents that have a significant impact on the continuity or security of their services.

Notification deadline: Within 72 hours of becoming aware of the incident
Threshold for reporting (OES): Incident has significant impact on continuity of essential service
Threshold for reporting (RDSP): Incident has substantial impact on provision of digital service
OES notify: Energy sector: Ofgem
OES notify: Transport sector: Department for Transport
OES notify: Health sector: Department of Health and Social Care
OES notify: Water sector: Defra (Environment Agency in practice)
OES notify: Digital infrastructure: Ofcom
RDSP notify: All digital services: Information Commissioner's Office (ICO)

Initial notification must include: Nature of incident, affected systems, estimated impact, initial containment measures
Follow-up report required: Full details within reasonable time after incident resolved
NCSC role: UK's Computer Security Incident Response Team (CSIRT) - technical support and coordination
Voluntary notification: Can notify NCSC of incidents below threshold for advice and support

Relationship with GDPR breach notification

Separate obligations apply: NIS incident notification does not replace GDPR data breach notification. If an incident involves personal data, you may need to:

Notify your NIS competent authority (within 72 hours)
Notify the ICO under GDPR (within 72 hours) if personal data at risk
Notify affected individuals under GDPR (without undue delay) if high risk

Both notification regimes have a 72-hour deadline but are triggered by different criteria and go to different authorities (except for RDSPs where ICO handles both).

NIS penalty maximum: Up to £17 million for most serious breaches
GDPR penalty maximum: Up to £17.5 million or 4% of turnover (separate from NIS)
Failure to notify (NIS): Enforcement action by competent authority, potential fine

NIS Regulations guidance

What constitutes a reportable incident

For OES: An incident with significant impact on essential service continuity. For RDSP: An incident with substantial impact on digital service provision. Consider: number of users affected, duration, geographic spread, and economic impact.

When in doubt, report: Competent authorities prefer precautionary notifications over unreported significant incidents.

Dual notification obligations

A single cyber incident may trigger notification requirements under both NIS Regulations and UK GDPR:

NIS notification: To your sector competent authority if significant impact on service continuity
GDPR notification: To the ICO if personal data breach poses risk to individuals
Individual notification: To affected individuals if GDPR breach poses high risk
Timeline for both: 72 hours from becoming aware
Key difference: NIS focuses on service continuity, GDPR on personal data protection

Practical implication: A ransomware attack on an NHS trust, for example, could require notification to NHS England (NIS competent authority), the ICO (GDPR data breach), and affected patients (if high risk to their rights). Establish clear incident response procedures that address both regulatory frameworks.

Penalties and enforcement

Competent authorities have significant enforcement powers under the NIS Regulations. While the focus is on improving security posture rather than punitive action, persistent non-compliance carries serious consequences.

NIS Regulations penalties

Penalty framework under the Network and Information Systems Regulations 2018, including maximum fines, penalty tiers by infringement type, regulator enforcement powers, and relationship with GDPR penalties.

The Network and Information Systems (NIS) Regulations 2018 give competent authorities powers to impose significant penalties on operators of essential services (OES) and relevant digital service providers (RDSP) who fail to comply with security and incident notification requirements.

Maximum penalty: £17 million
Penalty applies to: Most serious breaches where material deficiencies have been identified
Penalty range: Penalties can range from warning notices to the £17 million maximum depending on severity
Penalty structure: No formal tiers - penalties determined by competent authority based on circumstances

Factors considered: Impact severity: Scale, duration, and geographic scope of the incident or deficiency
Factors considered: Number affected: Number of users, businesses, or critical services impacted
Factors considered: Economic damage: Financial losses to affected parties and wider economy
Factors considered: Degree of negligence: Whether operator took reasonable security measures and responded appropriately
Factors considered: History: Previous contraventions, warnings, or enforcement action
Factors considered: Cooperation: Level of cooperation with competent authority during investigation

Enforcement powers by sector

Each sector has a designated competent authority with enforcement powers:

Energy sector enforcer: Ofgem
Transport sector enforcer: Department for Transport
Health sector enforcer: Department of Health and Social Care
Water sector enforcer: Defra (Environment Agency in practice)
Digital infrastructure enforcer: Ofcom
Digital service providers enforcer: Information Commissioner's Office (ICO)

Enforcement powers

Competent authorities can take the following enforcement actions:

Information notices - require information about security measures and incidents
Inspection - conduct audits and inspections of security arrangements
Enforcement notices - require specific actions to remedy deficiencies
Penalty notices - impose financial penalties up to £17 million
Directions - require specific security measures or operational changes

Relationship with GDPR penalties

Penalties can be cumulative: NIS and GDPR are separate regulatory regimes with distinct penalty frameworks:

NIS maximum penalty: £17 million
UK GDPR maximum penalty (higher tier): £17.5 million or 4% of global annual turnover, whichever is higher
UK GDPR maximum penalty (standard): £8.7 million or 2% of global annual turnover
Same incident, both regimes: A single cyber incident could trigger enforcement under both NIS and GDPR if it involves personal data
Double jeopardy protection: None - separate legal bases allow separate penalties for same incident
ICO role (RDSPs): ICO is competent authority for both NIS (digital services) and GDPR, may coordinate enforcement

UK enforcement to date

Competent authorities have primarily used enforcement notices and warnings rather than maximum penalties. Focus has been on improving security posture through:

Security assessments using NCSC Cyber Assessment Framework (CAF)
Improvement plans with defined timescales
Follow-up inspections to verify compliance
Escalation to penalties only for persistent non-compliance

NIS Regulations guidance

Enforcement in practice

Competent authorities typically take a proportionate approach:

Assessment and guidance - Initial focus on identifying gaps and providing improvement guidance
Improvement plans - Where deficiencies exist, you may be required to submit and implement an improvement plan with defined timescales
Follow-up inspection - Verification that improvements have been made
Enforcement notices - If improvement plans are not followed, formal enforcement action
Penalty notices - Reserved for serious, persistent, or wilful non-compliance

Organisations that engage constructively with their competent authority, acknowledge shortcomings, and demonstrate genuine efforts to improve are unlikely to face maximum penalties.

HEALTHCARE & SOCIAL CARE Requirement

NHS organisations designated as OES have an additional compliance mechanism: the Data Security and Protection Toolkit (DSPT).

DSPT Version 7 (September 2024) adopts the NCSC Cyber Assessment Framework as its foundation, aligning NHS cyber security assessment with NIS Regulations requirements. Completing DSPT to "Standards Met" level demonstrates progress towards NIS compliance.

NHS OES incident reporting: Report to NHS England within 72 hours for incidents with an adverse effect on security or significant impact on service continuity. NHS England is the competent authority for health sector OES in England.

Geographic variations:

Scotland: NHS Scotland health boards
Wales: Local Health Boards
Northern Ireland: Health and Social Care Trusts

MANUFACTURING & ENGINEER… Requirement

Ofgem regulates NIS compliance for energy sector OES, including electricity generators, transmission and distribution network operators, and oil and gas suppliers.

Energy sector considerations:

Industrial control systems (ICS) and operational technology (OT) require specific security approaches
Smart grid and smart meter infrastructure creates additional attack surfaces
Supply chain security is particularly important given critical infrastructure dependencies

Ofgem publishes sector-specific guidance on NIS compliance expectations for energy organisations.

Compliance roadmap for OES

If you have been designated as an OES or believe you may be in scope, follow this roadmap:

Confirm your designation status

Contact your sector regulator if you have not received formal OES designation notification.
Identify your competent authority

Determine which authority regulates your sector (see table above).
Review the NCSC CAF

Understand the 14 core principles and Indicators of Good Practice (IGPs).
Conduct a gap analysis

Assess your security posture against CAF principles and document evidence.
Develop an improvement plan

Create a prioritised plan for identified gaps with realistic timescales.
Establish incident response procedures

Include NIS notification requirements alongside GDPR obligations.
Engage with your competent authority

Build a relationship before formal assessment to understand expectations.
Maintain ongoing compliance

Implement continuous monitoring and regular CAF assessment.

Other frameworks: NIS/CAF sits alongside Cyber Essentials (baseline hygiene), ISO 27001 (security management), UK GDPR (data protection), and sector standards (PCI-DSS, FCA resilience). Develop a unified programme mapping controls to multiple frameworks.

Upcoming changes: The Cyber Security and Resilience Bill (expected 2025/2026) will expand NIS scope and add supply chain requirements.

Business Context Testing

Content Graph

Guvnor

NIS Regulations: compliance for operators of essential services

Who the NIS Regulations apply to

Competent authorities and the CAF

The NCSC Cyber Assessment Framework (CAF)

Incident notification requirements

What constitutes a reportable incident

Dual notification obligations

Penalties and enforcement

Enforcement in practice

NHS organisations and the Data Security and Protection Toolkit

Energy sector OES requirements

Compliance roadmap for OES

Confirm your designation status

Identify your competent authority

Review the NCSC CAF

Conduct a gap analysis

Develop an improvement plan

Establish incident response procedures

Engage with your competent authority

Maintain ongoing compliance

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

Who the NIS Regulations apply to

Competent authorities and the CAF

The NCSC Cyber Assessment Framework (CAF)

Incident notification requirements

What constitutes a reportable incident

Dual notification obligations

Penalties and enforcement

Enforcement in practice

NHS organisations and the Data Security and Protection Toolkit

Energy sector OES requirements

Compliance roadmap for OES

Confirm your designation status

Identify your competent authority

Review the NCSC CAF

Conduct a gap analysis

Develop an improvement plan

Establish incident response procedures

Engage with your competent authority

Maintain ongoing compliance

Related guides in Digital & Technology

Business Context Testing

Content Graph