The UK implemented the requirements of the Directive through the Network and Information Systems Regulations 2018 which came into effect on 10 May 2018. These regulations provide legal measures to maintain and improve the level of security (both cyber and physical resilience) of network and information systems relied upon or used for the provision of essential services. The regulations identified a number of competent authorities with the Department of Finance designated in relation to devolved sectors; and a number of operators of essential services with criteria identifying operators set out in schedule 2 of the regulations. The Department of Finance may also designate additional operators if certain conditions are met.
There have been amendment to the regulations to take account of the UK’s exit from the EU and to make other changes. The regulations continue to evolve and it is important that the most recent regulations are consulted. These are available using the link below.
NIS Policy & Legislation Unit
The role of the NIS Policy & Legislation Unit is to ensure that any Westminster policy or legislative proposals take account of the needs and requirements of the devolved government and departments, and to secure consents as appropriate. This is particularly the case with the cyber resilience proposals – the detail is provided at the link below.
The Unit also has a role in ensuring that any changes required to existing or future legislation are taken forward, and will be developing proposals around the appropriateness of some of the current arrangements now that the Network & Information Systems Regulations 2018 have been in place for a number of years. The Unit also has a role in ensuring proper application of the legislation particularly where changes have been made or the need for interpretation or clarification exists.
It you need further information on the 2018 regulations or the proposed new cyber resilience primary legislation, please email the Department of Finance at the address below.