The ICO exists to empower you through information.


This guide is for organisations providing digital services such as online marketplaces, online search engines and cloud services.

It outlines the requirements of the NIS Regulations 2018 (NIS) and subsequent post-implementation review. It summarises the obligations for relevant digital service providers (RDSPs) and explains the ICO’s role as the UK’s competent authority for these organisations.

Other organisations covered by NIS, such as operators of essential services, should look to their own competent authorities for specific guidance. However, they may find some parts of this guide useful, such as where the interaction between NIS and the UK GPDR is outlined.

This is a living document and we are working to expand it in key areas. It includes links to relevant sections of the NIS Regulations, the EU NIS Directive, other relevant ICO guidance, guidance produced by the National Cyber Security Centre (NCSC) and guidance produced by the European Union Agency for Cybersecurity (ENISA).

Latest updates

10 January 2023 - We have updated this guidance to reflect changes to the NIS regulations following transposition into UK law post-Brexit.