The Network and Information Systems (NIS) Directive was developed by the EU to boost the overall level of security for network and information systems that support the delivery of essential services. It applied to sectors providing services which are vital to the economy, such as the supply of electricity and drinking water and the provision of healthcare, transport and digital services. The NIS Directive was adopted by the European Parliament in July 2016 and came into force in August 2016.

The UK implemented the requirements of the Directive through the Network and Information Systems Regulations 2018 which came into effect on 10 May 2018. These Regulations provide legal measures to maintain and improve the level of security (both cyber and physical resilience) of network and information systems relied upon or used for the provision of essential services. The Regulations identified a number of NIS Competent Authorities with the Department of Finance designated in relation to devolved sectors; and a number of Operators of Essential Service with criteria identifying operators set out in schedule 2 of the Regulations. The Department of Finance may also designate additional operators if certain conditions are met.

There have been amendments to the Regulations to take account of the UK’s exit from the EU and to make other changes. The regulations continue to evolve and it is important that the most recent regulations are consulted. These are available using the link below.

NIS Policy & Legislation Unit

The role of the NIS Policy & Legislation Unit is to ensure that any Westminster policy or legislative proposals take account of the needs and requirements of the devolved government and departments, and to secure consents as appropriate. This is particularly the case with the cyber resilience proposals – the detail is provided at the link below.

The Unit also has a role in ensuring that any changes required to existing or future legislation are taken forward, and will be developing proposals around the appropriateness of some of the current arrangements now that the Network & Information Systems Regulations 2018 have been in place for a number of years. The Unit also has a role in ensuring proper application of the legislation particularly where changes have been made or the need for interpretation or clarification exists.

Further information

It you need further information on the 2018 NIS regulations or the proposed new cyber resilience primary legislation, please email the Department of Finance at the address below.

Back to top