At a glance
- NIS concerns ‘network and information systems’ and their security. These are any systems that process ‘digital data’ for operation, use, protection and maintenance purposes.
- NIS requires these systems to have sufficient security to prevent any action that compromises either the data they store, or any related services they provide.
- NIS applies to two groups of organisations: operators of essential services (OES) and relevant digital service providers (RDSPs).
- OES are organisations that operate services deemed critical to the economy and wider society. They include critical infrastructure (water, transport, energy) and other important services, such as healthcare and digital infrastructure.
- RDSPs are organisations that provide specific types of digital services: online search engines, online marketplaces and cloud computing services. To be an RDSP, you must provide one or more of these services, have your head office in the UK (or have nominated a UK representative) and be a medium-sized enterprise.
- There is a general small business exemption for digital services; if you have fewer than 50 staff and a turnover or balance sheet below €10 million then you are not an RDSP, and NIS does not apply. However, if you are part of a larger group, then you need to assess the group’s staffing and turnover numbers to see if the exemption applies.
- NIS is regulated by sector-specific ‘competent authorities’. The ICO is the competent authority for RDSPs.
- The National Cyber Security Centre (NCSC) also has two functions: it is the UK’s ‘single point of contact’ (SPOC), as well as the ‘computer security incident response team’ (CSIRT).
- What are ‘network and information systems'?
- What is meant by ‘security of network and information systems’?
- What organisations are covered?
- What is an ‘operator of essential services’ (OES)?
- What is a ‘relevant digital service provider’ (RDSP)?
- What is a ‘competent authority’?
- What is the ‘single point of contact’ (SPOC)?
- What is the ‘computer security incident response team’ (CSIRT)?
Regulation 1 of NIS defines a ‘network and information system’ as:
(a) an electronic communications network within the meaning of section 32(1) of the Communications Act 2003;
(b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
(c) digital data stored, processed, retrieved or transmitted by elements covered under point (a) or (b) for the purposes of their operation, use, protection and maintenance;
This is basically any computer system used to process ‘digital data’. Digital data is any information stored in digital form on a network and information system. This information can include personal data even where the data is only processed for the operation, use, protection and/or maintenance of network and information systems. This is one reason for the inter-relationship between NIS and the UK GDPR.
Regulation 1 of NIS defines this as:
the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.
In essence, this refers to the concept of ‘information security’. You must have appropriate security measures to ensure that your systems, and the data within them, are not compromised.
This aligns closely with established standards such as ISO/IEC 27000:2018 and well-known guidelines including the US National Institute of Standards and Technology (NIST) Special Publication 800-53:
The ISO/IEC 27000:2018 standard defines information security as:
- ‘preservation of confidentiality, integrity and availability of information’
NIST SP 800-53 (PDF) defines information security as:
- ‘the protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.’
The terms ‘confidentiality, integrity and availability’ are collectively known as the ‘CIA triad’, and they are well-established information security concepts. They are present in the UK GDPR and are therefore relevant in terms of the technical and organisational measures that you are required to have in place under that legislation. NIS adds ‘authenticity’ to these three.
This means that most of the NIS requirements in practice relate to cybersecurity measures. However, information security also encompasses physical and environmental factors as well, eg where such factors may pose a risk of compromising your systems.
NIS applies to two different groups of organisations. These are ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs).
Although the ICO is not regulating operators of essential services it is nevertheless useful to outline what these are. NIS envisages a different set of requirements for the two groups, with the security obligations and enforcement regimes for OES being stricter than RDSPs.
Essential services are services that are critical to the national infrastructure (eg water, energy, transport) or significantly important to the economy and wider society like health services and digital infrastructure.
Regulation 1 of NIS defines an essential service as:
‘a service which is essential for the maintenance of critical societal or economic activities’
An ‘operator of essential services’ (OES) is an organisation that provides an essential service, where:
- the service provision depends on network and information systems; and
- any incident would have ‘significant disruptive effects’ on that service.
Part 3 of the NIS Regulations 2018 deals with the identification of OES and the security requirements they are obliged to follow. These are outside the scope of this Guide. If you are an OES and want to know more about these obligations, we recommend that you consult guidance produced by your competent authority, as well as the NCSC’s guidance.