Security of network information systems

Date published: 04 June 2019

The Network Information Systems Regulations 2018 introduced obligations for operators of essential services. 

The Regulations also created new regulatory bodies across the UK to ensure that operators report serious incidents and maintain the security and safety of their network information. 

The Regulations implemented an EU Directive designed to boost the overall level of security for the network and information systems that support the delivery of essential services, in sectors which are vital for our economy and society.


The Department of Finance was designated regulator for Northern Ireland and its remit includes the health, drinking water, energy, rail transport and road transport sectors. The Regulations set out the criteria for inclusion of operators of essential services and over 40 operators have been identified for NI alone in both the public and private sectors.

The Department of Finance sets incident thresholds for each sector and operators must report any incident that reaches the threshold within 72 hours of the incident occurring. DoF must then advise the National Cyber Security Centre (NCSC - which is part of GCHQ) about any incident so that appropriate action can be taken in an effective, proportionate and timely way. 

DoF must also ensure that operators maintain the security of their systems and it has decided that self-assessments and assessments using the NCSC’s Cyber Assessment Framework is the most appropriate means of doing this. 

The guidance attached provides further information.

To report incidents please do so via

Back to top