1. UK NIS Regulations — Overview and Legal Basis
The Network and Information Systems (NIS) Regulations 2018 (SI 2018/506) implemented the original EU NIS Directive (2016/1148) into UK law. When the UK left the European Union, it retained the NIS Regulations as part of the broader process of incorporating EU-derived legislation into domestic statute. The UK has not implemented EU NIS2 (2022/2555) — that directive applies only within EU member states.
Since Brexit, the UK has developed its own cybersecurity regulatory trajectory. The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 introduced security requirements for consumer connectable products. The government has consulted on amendments to the NIS Regulations to address evolving cyber threats, and further updates are expected as the regulatory landscape matures. As of 2026, however, the foundational framework for essential service operators and digital service providers remains the NIS Regulations 2018.
The Regulations impose obligations on two categories of organisations: Operators of Essential Services (OES) and Digital Service Providers (DSPs). Each category faces distinct requirements for security risk management and incident notification, supervised by different competent authorities.
2. Who is in Scope — OES and DSPs
Operators of Essential Services
OES are organisations that provide an essential service where a security incident would have significant disruptive effects on that service. Designation as an OES is made by the relevant competent authority for each sector. Organisations that believe they may be OES should contact their sectoral authority if they have not been formally designated.
The NIS Regulations define five sectors for OES designation:
| Sector | In-scope OES examples | Competent authority |
|---|---|---|
| Energy | Electricity generators and distributors, gas suppliers, oil pipelines | Ofgem |
| Transport | Airlines, airports, rail operators, ports, road infrastructure managers | DfT / CAA / ORR / MCA |
| Health | NHS trusts, major independent hospitals, diagnostic laboratories | DHSC / NHS England |
| Water | Major drinking water suppliers and distributors | DWQR / DWI |
| Digital Infrastructure | Internet exchange points (IXPs), DNS providers, TLD registries | DCMS / Ofcom |
Digital Service Providers
DSPs are organisations providing one of three types of digital service on a commercial basis: online marketplaces, online search engines, and cloud computing services. Unlike OES, DSP obligations apply on a self-identification basis without formal designation.
Importantly, DSPs benefit from a size exemption: organisations with fewer than 50 employees and annual turnover (or balance sheet total) not exceeding €10 million are excluded from DSP obligations. Micro and small enterprises providing digital services are therefore generally outside the scope of the Regulations.
3. How UK NIS Differs from EU NIS2
UK organisations that also operate in EU member states need to understand the material differences between the two regimes. The EU NIS2 Directive (2022/2555), which EU member states transposed from October 2024, is significantly broader in scope and more prescriptive than UK NIS 2018.
| Aspect | UK NIS (2018) | EU NIS2 (2023) |
|---|---|---|
| Scope | Narrow — designated OES + large DSPs | Broader — 18 sectors, size thresholds (≥50 employees or ≥€10M turnover) |
| Security obligations | 14 CAF objectives (principles-based) | 10 Art. 21 measures (prescriptive) |
| Incident threshold | “Significant impact” on service delivery | “Significant incident” (with defined criteria) |
| Reporting deadline | 72 hours for initial notification | 24h early warning, 72h full report, 1 month final |
| Supply chain security | Recommended under CAF | Mandatory under Art. 21(2)(d) |
| Management liability | Not explicitly personal liability | Art. 32(7) — temporary ban on management possible |
| Maximum fine | £17 million | €10 million or 2% of worldwide turnover |
4. The Cyber Assessment Framework (CAF) — 14 Objectives
The Cyber Assessment Framework (CAF), published by the National Cyber Security Centre (NCSC), provides the primary guidance for demonstrating compliance with the NIS Regulations. The CAF is structured around four high-level objectives, each broken down into contributing outcomes and indicators of good practice.
The four CAF objectives
- Objective A: Managing security risk — governance, risk management, asset management, supply chain
- Objective B: Protecting against cyberattack — service protection policies, identity and access control, data security, system security, resilient networks and systems
- Objective C: Detecting security events — security monitoring, anomaly detection
- Objective D: Minimising impact — response and recovery planning, lessons learned
Competent authorities use the CAF as the primary tool for assessing whether an OES has implemented appropriate and proportionate security measures. The CAF uses an achieved / partially achieved / not achieved rating for each indicator, providing a nuanced picture of an organisation's cybersecurity posture rather than a simple pass/fail outcome.
Key CAF indicators checklist
- Board-level accountability for cybersecurity A named individual at board level holds responsibility for cybersecurity. The board receives regular cybersecurity updates and makes informed risk decisions.
- Documented risk management process A documented, regularly reviewed process for identifying, assessing and managing cybersecurity risks to the organisation's essential service.
- Asset inventory maintained A current inventory of hardware, software, data and network assets that support the delivery of the essential service, with clear ownership.
- Supply chain security requirements in contracts Security requirements flow down to suppliers through contractual obligations. Supplier security postures are assessed before onboarding and regularly reviewed.
- Identity and access control policies Policies and controls restrict access to network and information systems to those who need it. Privileged access is separately controlled and audited.
- MFA for privileged access Multi-factor authentication is enforced for all accounts with privileged access to systems and data critical to service delivery.
- Data-at-rest and in-transit encryption Sensitive data is encrypted when stored and when transmitted across networks, with appropriate key management procedures in place.
- Security monitoring capability The organisation monitors its networks and systems for security events and anomalies, with defined processes for reviewing and responding to alerts.
- Incident response plan tested A documented incident response plan exists and has been tested through exercises. Roles and responsibilities for incident management are clearly defined.
- Business continuity and disaster recovery plans Plans exist to maintain or restore essential service delivery following a security incident. Recovery objectives (RTO/RPO) are defined and tested.
- Lessons learned process after incidents After security incidents (including exercises), a structured process captures lessons learned and drives improvements to security measures.
- Regular staff security awareness training All staff receive regular cybersecurity awareness training appropriate to their role. Specific training is provided for those with privileged access or critical responsibilities.
5. Incident Reporting — 72-Hour Deadline
Both OES and DSPs are required to notify incidents that have a significant impact on the continuity of their services. The threshold for notification differs between the two categories, but the core obligation is the same: report to the relevant competent authority without undue delay and within 72 hours of becoming aware of the incident.
What constitutes a significant impact?
For OES, a significant impact is one that results in a disruption to the delivery of the essential service. Competent authorities consider factors including the number of users affected, the duration of the disruption, the geographic spread, and the degree to which service delivery is compromised. Most serious ransomware attacks, major DDoS events, and significant data breaches affecting operational technology will qualify.
For DSPs, the threshold is defined by specific parameters in the Regulations: the number of users affected, the duration, the geographic area, the extent of disruption, and the financial impact.
| Stage | Deadline | Content |
|---|---|---|
| Initial notification | 72 hours after awareness | Basic facts: incident has occurred, initial impact summary, preliminary assessment of cause |
| Full report | As directed by competent authority | Detailed timeline, root cause analysis, impact assessment, remediation steps taken and planned |
| Post-incident review | No fixed statutory deadline | Lessons learned, improvements to security measures implemented as a result of the incident |
Where to report
Notifications must be sent to the relevant competent authority for your sector (see the table in Section 2). Additionally, organisations should notify the NCSC as the UK's technical cybersecurity authority, which provides incident response support and coordinates national-level responses to significant attacks.
6. Competent Authorities and NCSC
The UK NIS Regulations operate through a network of sectoral competent authorities, each responsible for OES designation, security oversight and enforcement within their sector. This decentralised model means that your primary regulatory relationship is with the authority relevant to your industry, not a single central cybersecurity regulator.
- Ofgem — energy sector (electricity, gas)
- Department for Transport (DfT), Civil Aviation Authority (CAA), Office of Rail and Road (ORR), Maritime and Coastguard Agency (MCA) — transport sector
- Department of Health and Social Care (DHSC) / NHS England — health sector
- Drinking Water Quality Regulator (DWQR) / Drinking Water Inspectorate (DWI) — water sector
- Ofcom / Department for Science, Innovation and Technology (DSIT) — digital infrastructure
- Information Commissioner's Office (ICO) — digital service providers (cloud, search, marketplaces)
The National Cyber Security Centre (NCSC) is not itself a competent authority under the Regulations, but plays a critical supporting role. The NCSC publishes the CAF, provides free self-assessment tooling, offers incident response support to in-scope organisations, and coordinates the UK's technical response to significant cyber incidents.
7. Fines and Enforcement
The NIS Regulations give competent authorities a range of enforcement powers, including the ability to issue information notices, enforcement notices (requiring specific security improvements), and financial penalties. Fines under UK NIS are amongst the highest available under UK cybersecurity law.
| Violation | Maximum fine |
|---|---|
| Failure to implement appropriate and proportionate security measures | £17 million |
| Failure to notify a significant incident within the required timeframe | £17 million |
| Failure to provide information requested by a competent authority | £17 million |
| Continued failure after an enforcement notice | Additional daily penalties may apply |
In practice, competent authorities use fines as a last resort. Their primary approach is to work collaboratively with OES to improve their security posture through engagement, assessment, and guidance. Enforcement action typically follows repeated failures to engage constructively or deliberate non-compliance. That said, the £17 million maximum sends a clear signal that the Regulations carry real regulatory weight.
8. Next Steps for UK Organisations — and for Those Also Operating in the EU
If you are an OES or DSP under UK NIS, your immediate priorities are straightforward:
Confirm your designation status
If you operate in one of the five NIS sectors, contact your competent authority to confirm whether you have been (or should be) designated as an OES. For DSPs, confirm whether you meet the size thresholds that bring you into scope.
Complete the NCSC CAF self-assessment
Use the free CAF self-assessment tool at ncsc.gov.uk/collection/caf to evaluate your current cybersecurity posture against the 14 objectives. This will identify gaps and provide a roadmap for improvement.
Build or test your incident response plan
Ensure you have a documented incident response plan with clear ownership of the 72-hour notification obligation. Test it through a tabletop exercise before a real incident forces you to use it under pressure.
Check EU NIS2 obligations if you serve EU customers
If your organisation provides services to EU-based customers or operates through EU subsidiaries, assess whether EU NIS2 also applies. The two regimes can apply simultaneously, and NIS2 imposes additional obligations beyond UK NIS.
Check your NIS / NIS2 Compliance Status
If your organisation operates in both the UK and EU, nis2.saaslab.pl helps you identify your EU NIS2 obligations alongside UK NIS requirements.
Check my compliance status →No credit card required. Basic access free.