NIS Governance in Northern Ireland

The Department of Finance NIS competent authority compliance and enforcement team are responsible for the oversight of the NIS Regulations in Northern Ireland and operators of essential services (OES) within the energy (electric, gas and oil), road & rail transport, drinking water supply and distribution and health sectors.

The implementation of the NIS regulations has many key stakeholders. The diagram below highlights these and below is a brief explanation on the role played by each.

The role of UK government

The Department for Digital, Culture, Media and Sport (DCMS) is the lead UK department responsible for the NIS Regulations and coordinates activities between the various competent authorities across England, Scotland, Wales and Northern Ireland, as well as engaging with NCSC/GCHQ.

Regulated Sectors

The NIS regulations cover a number of sectors. This includes:

  • Energy sector (electricity, gas and oil)
  • Transport sector (road, rail, water and air)
  • Health sector
  • Drinking water supply and distribution
  • Digital infrastructure

Digital Services

There is another collection of service providers included within the regulations that do not belong to a particular sector, but are classed as Relevant Digital Service Providers (RDSPs) and are included in part 4 of the NIS regulations. These would include organisations that provide digital services such as an online marketplace, search engines or cloud computing services.

The Competent Authorities

Oversight and enforcement of the NIS Regulations is the responsibility of the designated competent authority. These can be found in schedule 1 of the NIS Regulations.

The UK Government decided that a multiple competent authority approach was appropriate, with each competent authority having a detailed understanding of the individual sector/region and the associated challenges. Competent authorities have therefore been designated for sectors and regions covered by the NIS Regulations. The following competent authorities have been designated for services that operate in Northern Ireland or at a UK level encompassing responsibilities for Northern Ireland.

Department of Finance (DoF)

CA for Operators of Essential Services (OES) in Northern Ireland.

The Department of Finance (DoF) is a designated NIS competent authority and regulates operators of essential services within Northern Ireland in the discharge of their duties under the Network and Information Systems Regulations 2018; in the following sectors:  energy (electricity, oil and gas); transport (rail and road); health; and drinking water supply and distribution.

Information Commissioner Office (ICO)

UK Level CA for Relevant Digital Service Providers (RDSP)

The Information Commissioner is designated at a UK level for organisations defined as relevant digital service providers (RDSPs). A RDSP would provide services such as online marketplaces, online search engines and cloud computing services.

Office of Communications (Ofcom)

UK Level CA for Digital Infrastructure Services

Office of Communications (Ofcom) are designated at a UK level as the competent authority for Digital Infrastructure which are specific kinds of services such as top-level domain registration services, Domain Name System (DNS) services and Internet Exchange point (IXP) services.

Civil Aviation Authority (CAA)

UK Level CA for Air transport

The Secretary of State for Transport and Civil Aviation Authority (act jointly) for the air transport sector across the UK. This subsector includes passenger airports, en-route air traffic control services, provision of services by air carriers that meet the thresholds defined in Schedule 2 of the Network and Information Systems Regulations 2018.

Secretary of State for Transport

UK Level CA for Water Transport

The Secretary of State for Transport is responsible for the water transport sector across the UK. This subsector includes shipping in the UK for freight and passenger services subject to meeting the thresholds set out in Schedule 2 of the Network and Information Systems Regulations 2018.

Where the Secretary of State for Transport is the competent authority, the Cyber Compliance Team (CCT) in the Department for Transport will be responsible for carrying out the roles and responsibilities of the competent authority on behalf of the Secretary of State for Transport.

Operators of Essential Services

An organisation is deemed an operator of essential service under the NIS legislation if it relies on network and information systems to deliver its essential service and meet certain criteria set out in schedule 2 of the Network and Information Systems Regulations 2018.  The Department of Finance, as competent authority, may designate other operators of essential services is certain conditions (which are set out in the legislation) are met.

The criteria for identification of an operator of essential services is:

  1. It delivers an essential service as set out in schedule 2 of  the Regulations; where an “Essential Service” means a service which is essential for the maintenance of critical societal or economic activities;
  2. The service relies on network and information systems; and
  3. The service satisfies a threshold requirement for that essential service as set out in Schedule 2 of the regulations.

If an organisation meets the above criteria, it is deemed to be designated under the legislation and must notify the designated competent authority.

If an organisation meets criteria 1 & 2 above, the relevant competent authority may still designate them as an operator of essential service even if the organisation does not meet the threshold requirement.  This will be done if the competent authority concludes that any incident affecting the essential service is likely to have a significant disruptive effect and the organisation will be informed of its designation in writing.

An OES has responsibilities to protect the information systems that the essential service relies on and to report an incident to the competent authority where that causes a significant impact to the continuity of the service.

Related articles

Back to top