Respond to a data breach
- 1 step
UK Statutory Instrument
2018
United Kingdom
Network and Information Systems Regulations 2018
At a glance
Who this Act binds
Business-side actors with duties under this Act, ranked by how often they appear.
- Any Person 7
- Operator 2
Plus 9 non-business duties on Crown ministers, regulators, local authorities or tribunals — shown collapsed under each section below.
Step-by-step journeys using this legislation
Walkthroughs that take you from a real business situation to compliance.
Data breach 72-hour checklist
- 1 step
Respond to a cyber attack
- 2 steps
Cyber security fundamentals
- 4 steps
Cyber security quick wins
- 4 steps
Grow your construction business
- 1 step
Relevant guidance
Practical guides for businesses affected by this Act, ordered by how closely they engage with it.
Direct — cites this Act
2 guidesSupporting — topic alignment
14 guidesMentioned in related content
1 guidesOther Acts binding the same actors
For each actor bound by this Act, the other UK Acts that bind them most often. Useful for understanding the full compliance landscape facing each role.
Any Person also bound by 749 other Acts (top 5 shown)
- Human Medicines Regulations 2012 2012 110 duties
- Licensing Act 2003 2003 105 duties
- Merchant Shipping Act 1995 1995 97 duties
- Road Traffic Act 1988 1988 95 duties
- Air Navigation Order 2016 2016 86 duties
Operators also bound by 125 other Acts (top 5 shown)
- Space Industry Regulations 2021 2021 71 duties
- Payment Services Regulations 2017 2017 41 duties
- Air Navigation Order 2016 2016 34 duties
- The Quarries Regulations 1999 1999 31 duties
- Reservoirs Act (Northern Ireland) 2015 2015 22 duties
What this Act requires
Sections that create concrete duties on businesses or carry penalties. Procedural and definitional sections are folded into the “Browse other sections” expander at the bottom of each group. Click any section title to read the source text on legislation.gov.uk.
Part 1 — Introduction
Browse 1 other section in this Part — procedural / definitional / commencement
Part 2 — The National Framework
Designation of national competent authorities
Other duties (1) — Crown / regulator
- Regulators must provide guidance and maintain lists of essential services Statutory regulator
Designation of the single point of contact
Other duties (1) — Crown / regulator
- GCHQ (SPOC) must cooperate with enforcement authorities Statutory regulator
Designation of computer security incident response team
Other duties (1) — Crown / regulator
- GCHQ (as CSIRT) must monitor and support UK businesses against cyber incidents Statutory regulator
Information sharing – enforcement authorities
Other duties (1) — Crown / regulator
- Enforcement authorities may share your information with other bodies Statutory regulator
Information sharing – Northern Ireland
Other duties (1) — Crown / regulator
- Northern Ireland Departments and regulators may share NIS information Crown / Minister / Government department
Part 3 — Operators of essential services
The security duties of operators of essential services
- Manage and secure network systems for essential services Any Person
The duty to notify incidents
- Notify your regulator of significant service disruptions Any Person
Nomination by an OES of a person to act on its behalf in the United Kingdom
- Nominate a UK representative for essential services Any Person
Browse 2 other sections in this Part — procedural / definitional / commencement
Part 4 — Digital Services
Relevant digital service providers
Fine up to £17,500,000- Secure network systems and notify the ICO of substantial incidents Operator
Registration with the Information Commissioner
- Register your business as a relevant digital service provider (RDSP) Any Person
Representatives of digital service providers established outside the United Kingdom
- Appoint a UK representative for overseas digital services Operator
Browse 1 other section in this Part — procedural / definitional / commencement
Part 5 — Enforcement and penalties
Information notices
- Respond to formal Information Notices from regulators Any Person
Enforcement notices for breach of duties
- Comply with enforcement notices regarding digital and network security Any Person
Appeal by an OES or RDSP to the First-tier Tribunal
Other duties (1) — Crown / regulator
- Tribunal must hear appeals against regulator decisions under NIS Regulations Tribunal / Court
Decision of the First-tier Tribunal
Other duties (1) — Crown / regulator
- Tribunal must determine appeals against NIS enforcement or designation Tribunal / Court
Enforcement by civil proceedings
Other duties (1) — Crown / regulator
- Regulators may start court proceedings to enforce NIS compliance Statutory regulator
Browse 4 other sections in this Part — procedural / definitional / commencement
Part 6 — Miscellaneous
Fees
- Pay costs incurred by the enforcement authority Any Person
Proceeds of penalties
Other duties (1) — Crown / regulator
- Regulators must pay penalty proceeds into government funds Statutory regulator
Browse 3 other sections in this Part — procedural / definitional / commencement
Enforcement action – general considerations
Service of documents
Review and report
Schedules
Browse 1 other Schedule — structural / supplementary
Official guidance
Authoritative sources published by regulators or government explaining this legislation.
- NCSC: NIS guidance (opens in a new tab) Detailed Guidance
- HSE: display screen equipment (opens in a new tab) from HSE Detailed Guidance
- Data protection annual compliance checklist (opens in a new tab) Detailed Guidance
- Online Safety Act compliance checklist (opens in a new tab) Detailed Guidance
- Network and Information Systems (NIS) Regulations (opens in a new tab) Detailed Guidance
- Rules for news agencies and information services (opens in a new tab) Detailed Guidance
- Data processing, hosting and web portal rules (opens in a new tab) Detailed Guidance
- Run a compliant information service business (opens in a new tab) Detailed Guidance
- Which information service rules apply to your business (opens in a new tab) Detailed Guidance
- Business Services Organisation NI (opens in a new tab) Detailed Guidance
- ... and 29 more
Enforcement and responsible bodies
The regulators that administer or enforce this legislation.
ICO
PrimaryInformation Commissioner's Office
Data protection, freedom of information, privacy and electronic communications regulation. Enforces UK GDPR and Data Protection Act 2018. Issues fines for breaches. …
Office of Gas and Electricity Markets
Regulates gas and electricity markets in Great Britain. Issues licences for generation, transmission, distribution, and supply. Protects consumers and promotes competition. Also …
Office of Communications
Regulates telecoms, TV, radio, video-on-demand, postal services, and online safety. Issues licences for telecoms providers, manages spectrum. Now enforces Online Safety Act …
Water Services Regulation Authority
Economic regulator for the water and sewerage sectors in England and Wales. Sets price limits, monitors service quality, and enforces environmental duties. …
Utility Regulator (Northern Ireland)
Regulates electricity, gas, and water industries in Northern Ireland. Protects consumers, promotes competition, and ensures adequate utility supply.
Explore more
Browse legislation
Find other UK business legislation with related guidance.
Regulators
Learn more about the bodies that enforce this legislation.