The Guide to NIS
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Latest updates
10 January 2023 - We have updated this guidance to reflect changes to the NIS regulations following transposition into UK law post-Brexit.
Introduction
This guide is for organisations providing digital services such as online marketplaces, online search engines and cloud services.
It outlines the requirements of the NIS Regulations 2018 (NIS) and subsequent post-implementation review. It summarises the obligations for relevant digital service providers (RDSPs) and explains the ICO’s role as the UK’s competent authority for these organisations.
Other organisations covered by NIS, such as operators of essential services, should look to their own competent authorities for specific guidance. However, they may find some parts of this guide useful, such as where the interaction between NIS and the UK GDPR is outlined.
This is a living document and we are working to expand it in key areas. It includes links to relevant sections of the NIS Regulations, the EU NIS Directive, other relevant ICO guidance, guidance produced by the National Cyber Security Centre (NCSC) and guidance produced by the European Union Agency for Cybersecurity (ENISA).