UK Statutory Instrument 2018 United Kingdom

Network and Information Systems Regulations 2018

What this means for your business

10 obligations
1 penalties
13 guides
Enforced by
ICO
Applies to
United Kingdom
On this page
10 compliance obligations, 13 practical guides across 3 topics
Read full text on legislation.gov.uk

What you must do

10 compliance obligations under this legislation.

Appointments 2

Appoint a UK representative and notify the ICO

If your company is based outside the UK, offers digital services to UK users, and is not a small or micro‑enterprise, you must name a UK‑based representative in writing and give the ICO their name and contact details. You have to do this within three months of first offering the service in the UK (or within three months of the regulations coming into force if you were already operating). The ICO can contact that representative instead of you.

Trader/Business Representatives of digital service providers estab ICO Your head office is outside the UK, you provide digital services in …

Nominate a UK representative for your overseas OES

If your business is an Operator of Essential Services (OES) with its head office outside the UK, provides an essential service in the UK and has been served with a notice by the regulator, you must appoint a person located in the UK to act on your behalf. You need to tell the regulator who this person is, provide their contact details by the set deadline, and inform them of any changes within seven days.

Trader/Business Nomination by an OES of a person to act on its beh ICO Your business is an OES with a head office outside the UK, …

Management duties 2

Implement proportionate security measures for essential services

If your business is classified as an Operator of an Essential Service (for example, in energy, transport, health or digital infrastructure), you must put in place technical and organisational steps that match current best practice to protect the networks and data you rely on. You also need to have measures ready to limit any security incident’s impact so your service can keep running, and you must follow any guidance issued by the regulator.

Any Person s.10 ICO When your business is designated as an Operator of an Essential Service …

Manage security risks and report serious incidents for digital services

Fine up to £17,500,000

If you run an online marketplace, a search engine or a cloud‑computing service in the UK, you must assess the security risks to the networks you rely on, put appropriate, proportionate security measures in place and keep those systems running. If an incident has a substantial impact on your service, you must tell the ICO in writing within 72 hours and provide the details set out in the regulation.

Trader/Business s.12 ICO Your business provides an online marketplace, online search engine or cloud computing …

Notifications 1

Notify the competent authority of significant NIS incidents

If your business provides an essential service and a cyber‑ or IT‑related incident seriously disrupts that service, you must tell the designated authority in writing within 72 hours. The report must include details such as what service is affected, when it happened, how long it lasted, the nature and impact of the incident and any cross‑border effects.

Any Person s.11 ICO When a NIS incident has a significant impact on the continuity of …

Other requirements 2

Comply with any NIS enforcement notice you receive

If the ICO or the designated competent authority serves you with an enforcement notice because they think you have broken your NIS duties, you must follow the steps set out in that notice and fix the problem within the time‑frame they give you. Failure to do so can lead to further action.

Any Person s.17 ICO If you are served an enforcement notice under NIS Regulations s.17(1) or …

Comply with enforcement notices within 28 days

When the ICO or a regulator sends you a notice that you must change a breach, you have 28 days to address it. If you ignore the notice, the regulator can take civil court action to force compliance, which can result in court orders or other remedial measures.

Any Person Enforcement by civil proceedings ICO receiving an enforcement notice under regulation 17(3A)

Payments and fees 1

Pay any NIS fee invoice within 30 days

If your business is an Operator of Essential Services or a Digital Service Provider and the ICO (or another enforcement authority) sends you an invoice for the cost of a NIS function, you must pay that fee. The payment must be made within 30 days of receiving the invoice, and the invoice must show what work was done and the amount charged.

Any Person s.21 ICO When you receive a valid NIS fee invoice from the enforcement authority

Registration and licensing 1

Register your digital service with the Information Commissioner

If your business is a Relevant Digital Service Provider (RDSP) you must tell the ICO your name, head‑office (or nominated representative) address and up‑to‑date contact details before the registration deadline. You also have to inform the ICO in writing of any changes to those details as soon as possible, but no later than three months after the change occurs.

Trader/Business s.14 ICO Your business qualifies as a Relevant Digital Service Provider (RDSP) under the …

Reporting and filing 1

Provide information to authorities when served an information notice

If the Information Commissioner or another designated authority sends you a written information notice, you must give them the information they ask for, in the format and within the timeframe they set. This can happen when they are checking whether your business is an Operator of Essential Services or a digital service provider, or when they need details about security incidents or compliance. Failure to comply can lead to enforcement action.

Any Person s.15 ICO When a designated competent authority or the ICO serves you a written …

Penalties for non-compliance

1 penalty under this legislation.

Significant fine

Manage security risks and report serious incidents for digital services

Fine up to £17,500,000

s.12 Penalises: Manage security risks and report serious incidents for …

Practical guidance

Our guides explain how to comply with the requirements above.

Sections and provisions

30 classified provisions from this legislation.

18 Duties 3 Powers 5 Definitions 1 Exemptions

Duties 18

  • s.3 Designation of national competent authorities
  • s.4 Designation of the single point of contact
  • s.5 Designation of computer security incident response team incident notified
  • s.6 Information sharing – enforcement authorities
  • s.7 Information sharing – Northern Ireland
  • s.10 The security duties of operators of essential services
  • s.11 The duty to notify incidents An OES
  • s.12 Relevant digital service providers A RDSP
  • s.14 Registration with the Information Commissioner changes
  • s.15 Information notices person requiring that person
  • s.17 Enforcement notices for breach of duties steps taken
  • s.21 Fees
  • s.22 Proceeds of penalties
  • Appeal by an OES or RDSP to the First-tier Tribuna Appeal by an OES or RDSP to the First-tier Tribunal
  • Decision of the First-tier Tribunal Decision of the First-tier Tribunal of the following decisions
  • Enforcement by civil proceedings Enforcement by civil proceedings
  • Nomination by an OES of a person to act on its beh Nomination by an OES of a person to act on its behalf in the United Kingdom changes
  • Representatives of digital service providers estab Representatives of digital service providers established outside the United Kingdom The digital service provider

Powers 3

  • s.9 Revocation
  • s.13 Co-operation with the European Union
  • s.18 Penalties

Definitions 5

  • s.1 Citation, commencement, interpretation and application cloud computing service the Commission EU Regulation 2018/151
  • Schedule 2 Essential Services and Threshold Requirements interconnector licence stored energy crude oil
  • s.16 Power of inspection inspection inspector
  • s.23 Enforcement action – general considerations
  • s.25 Review and report

Exemptions 1

  • s.8 Identification of operators of essential services