The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


This guide is for organisations providing digital services such as online marketplaces, online search engines and cloud services.

It outlines the requirements of the NIS Regulations 2018 (NIS) and the underlying EU laws that they implement. It summarises the obligations for relevant digital service providers (RDSPs) and explains the ICO’s role as the UK’s competent authority for these organisations.

Other organisations covered by NIS, such as operators of essential services, should look to their own competent authorities for specific guidance. However, they may find some parts of this guide useful, such as where the interaction between NIS and the UK GPDR is outlined.

This is a living document and we are working to expand it in key areas. It includes links to relevant sections of the NIS Regulations, the EU NIS Directive, other relevant ICO guidance, guidance produced by the National Cyber Security Centre (NCSC) and guidance produced by the European Union Agency for Cybersecurity (ENISA)..