The ICO exists to empower you through information.

At a glance

  • NIS concerns ‘network and information systems’ and their security. These are any systems that process ‘digital data’ for operation, use, protection and maintenance purposes.
  • NIS requires these systems to have sufficient security to prevent any action that compromises either the data they store, or any related services they provide.
  • NIS applies to two groups of organisations: operators of essential services (OES) and relevant digital service providers (RDSPs).
  • OES are organisations that operate services deemed critical to the economy and wider society. They include critical infrastructure (water, transport, energy) and other important services, such as healthcare and digital infrastructure.
  • RDSPs are organisations that provide specific types of digital services: online search engines, online marketplaces and cloud computing services. To be an RDSP, you must provide one or more of these services, have your head office in the UK (or have nominated a UK representative) and be a medium-sized enterprise.
  • There is a general small business exemption for digital services; if you have fewer than 50 staff and a turnover or balance sheet below €10 million then you are not an RDSP, and NIS does not apply. However, if you are part of a larger group, then you need to assess the group’s staffing and turnover numbers to see if the exemption applies.
  • NIS is regulated by sector-specific ‘competent authorities’. The ICO is the competent authority for RDSPs.
  • The National Cyber Security Centre (NCSC) also has two functions: it is the UK’s ‘single point of contact’ (SPOC), as well as the ‘computer security incident response team’ (CSIRT).

In brief

What are ‘network and information systems’?

Regulation 1 of NIS defines a ‘network and information system’ as:

(a) an electronic communications network within the meaning of section 32(1) of the Communications Act 2003;

(b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or

(c) digital data stored, processed, retrieved or transmitted by elements covered under point (a) or (b) for the purposes of their operation, use, protection and maintenance;

This is basically any computer system used to process ‘digital data’. Digital data is any information stored in digital form on a network and information system. This information can include personal data even where the data is only processed for the operation, use, protection and/or maintenance of network and information systems. This is one reason for the inter-relationship between NIS and the UK GDPR.

What is meant by ‘security of network and information systems’?

Regulation 1 of NIS defines this as:

the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

In essence, this refers to the concept of ‘information security’. You must have appropriate security measures to ensure that your systems, and the data within them, are not compromised.

This aligns closely with established standards such as ISO/IEC 27000:2018 and well-known guidelines including the US National Institute of Standards and Technology (NIST) Special Publication 800-53:

Examples

The ISO/IEC 27000:2018 standard defines information security as:

  • ‘preservation of confidentiality, integrity and availability of information’

NIST SP 800-53 (PDF) defines information security as:

  • ‘the protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.’

The terms ‘confidentiality, integrity and availability’ are collectively known as the ‘CIA triad’, and they are well-established information security concepts. They are present in the UK GDPR and are therefore relevant in terms of the technical and organisational measures that you are required to have in place under that legislation. NIS adds ‘authenticity’ to these three.

This means that most of the NIS requirements in practice relate to cybersecurity measures. However, information security also encompasses physical and environmental factors as well, eg where such factors may pose a risk of compromising your systems.

What organisations are covered?

NIS applies to two different groups of organisations. These are ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs).

Although the ICO is not regulating operators of essential services it is nevertheless useful to outline what these are. NIS envisages a different set of requirements for the two groups, with the security obligations and enforcement regimes for OES being stricter than RDSPs.

What is an ‘operator of essential services’ (OES)?

Essential services are services that are critical to the national infrastructure (eg water, energy, transport) or significantly important to the economy and wider society like health services and digital infrastructure.

Regulation 1 of NIS defines an essential service as:

‘a service which is essential for the maintenance of critical societal or economic activities’

An ‘operator of essential services’ (OES) is an organisation that provides an essential service, where:

  • the service provision depends on network and information systems; and
  • any incident would have ‘significant disruptive effects’ on that service.

Part 3 of the NIS Regulations 2018 deals with the identification of OES and the security requirements they are obliged to follow. These are outside the scope of this Guide. If you are an OES and want to know more about these obligations, we recommend that you consult guidance produced by your competent authority, as well as the NCSC’s guidance.

What is a ‘relevant digital service provider’ (RDSP)?

If you provide certain types of digital services, you are a ‘digital service provider’ or DSP. However, NIS does not apply to all digital services. To be covered, your digital service must be one or more of:

  • an online marketplace;
  • an online search engine; or
  • a cloud computing service.

If you provide any of these, alone or in combination, then you are a providing a type of digital service covered by NIS. There is more detail on the precise definition for each of these under the section titled ‘Digital service providers’.

However, for NIS to apply to you directly, you must:

  • have a head office in the UK, or have nominated a representative in the UK; and
  • not meet the definition of a micro or small enterprise – this definition applies where you have fewer than 50 staff and an annual turnover or balance sheet of below €10 million.

If you meet these conditions then you are an RDSP, and must comply with the NIS requirements.

Part 4 of the NIS Regulations 2018 details these requirements. These include an additional implementing act, Regulation 2018/151, which is specifically aimed at RDSPs and is referred to in this Guide as ‘the DSP Regulation’.

The following sections of this Guide provide further detail on Part 4 of NIS. 

However, even if your service is not an RDSP, it is likely that you are a data controller and potentially a data processor under the UK GDPR, and therefore you need to ensure that any personal data you process complies with data protection law.

What is a ‘competent authority’?

‘Competent authority’ is the term used in NIS for a regulatory body. There are multiple competent authorities responsible for different sectors covered by NIS.

The ICO is the competent authority for RDSPs. In that capacity, we are required to:

  • review the application of NIS on RDSPs;
  • prepare and publish guidance for RDSPs;
  • consult and co-operate with other relevant agencies, such as law enforcement, other competent authorities, and the NCSC; and
  • undertake enforcement action, where appropriate.

A list of other competent authorities is published in Schedule 1 of NIS.

What is the ‘single point of contact’ (SPOC)?

NIS establishes a ‘single point of contact’ (SPOC). The SPOC’s role is concerned with cross-border co-operation, for example in any incident that has an impact in another Member State. Competent authorities provide the SPOC with an annual summary of incident notifications, and the SPOC in turn reports to a European-level ‘Cooperation Group’ as well as the EU Commission.

GCHQ is the UK SPOC, with functions under NIS carried out by the National Cyber Security Centre (NCSC) will be the UK SPOC. We have provided more information on the role of the SPOC later in this Guide.

What is the ‘computer security incident response team’ (CSIRT)?

NIS establishes a CSIRT to monitor and respond to incidents it is notified about. The CSIRT also has other functions to provide warnings, alerts, announcements and disseminate information about risks and incidents. Competent authorities are required to share incident notifications with the CSIRT as soon as reasonably practicable.

GCHQ is the UK CSIRT, with functions under NIS carried out by the NCSC. We have provided more information on the role of the CSIRT later in this Guide.