The Network and Information Systems Regulations 2018
The Network and Information Systems Regulations 2018

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • The Network and Information Systems Regulations 2018
  • Background to the NIS Directive
  • National framework under NIS Regulations
  • Key definitions
  • Scope of NIS Regulations
  • Competent Authorities
  • Operators of essential services (OESs)
  • Digital service providers (RDSPs)
  • Registration and notification obligations
  • Security obligations
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU laws, including those relating to cybersecurity and data protection. During this period, the UK generally continues to be treated as an EU (and EEA) state for EU and UK cybersecurity and data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection and cybersecurity laws that are anticipated to apply after the end of it, see Practice Notes: Brexit—implications for data protection and Brexit—cybersecurity.

This Practice Note provides an overview of the Network and Information Systems Regulations 2018 (NIS Regulations), SI 2018/506 which implement the Network and Information Systems Directive (the NIS Directive), Directive (EU) 2016/1148 in the UK.

It discusses the background and purpose of the legislation and the obligations for operators of essential services (OESs) and relevant digital service providers (RDSPs) under NIS Regulations and Regulation (EU) 2018/151, the Commission Implementing Regulations in relation to RDSPs.

Background to the NIS Directive

The NIS Directive (also known as the Cybersecurity Directive or Network and Information Security Directive) was adopted by