Current status of implementation

UK NIS Directive will be implemented into national laws on 9th May 2018. The Department for Digital, Culture Media & Sport commenced a public consultation in relation to the implementation on 8 August 2017 and published the Government's response to the public consultation in January 2018.

Implementation Act

To be implemented into UK law on 9 May 2018 through section 2(2) of the European Communities Act.

Determination of operators of essential services (Art. 5 NIS)

In accordance with Art. 5 of the NIS Directive, the UK Government has proposed criteria to identify operators of the following essential services: a) Drinking water supply and distribution, b) Energy (including electricity, oil and gas), c) Digital Infrastructure, d) Health Sector, e) Transport (including air, maritime, rail and road) (all identified in Annex 1 of the Government Response to Public Consultation from the Department for Digital, Culture, Media and Sport dated January 2018).

The consultation paper proposed a series of thresholds so that the enactment will apply only to "more important operators" in each sector. The consultation responses highlighted concerns that the thresholds required further clarity.  As a result, Lead Government Departments have refined the thresholds so that companies can identify with certainty whether they are in scope of the requirements of the Directive. The revised thresholds are also identified in Annex 1 of the Government Response to the Public Consultation.  When considering these thresholds, the UK Government has taken into account the requirements of Art. 5 and Art. 6 of the NIS Directive.   The thresholds are not intended to identify the systems that are in scope of the Directive, only the operators of essential services. Identifying the systems that support the services will be the responsibility of the operators.

Alongside essential operators, Digital Service Providers (DSPs) will be required to comply with the requirements of the NIS Regulation which implements the NIS Directive in the UK. Companies that "normally provide a service for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" will be categorised as DSPs and will be within scope of the Directive if they are operators of an online market place, an online search engine or a cloud computing service. Despite the definitions that have been given there still remains significant room for uncertainty as to whether you qualify as a DSP.

Reporting obligations

All NIS incidents should be reported to the competent authority. Competent authorities will calculate incident reporting thresholds for each sector and/or sub sector and will publish such thresholds before May 2018. In order to define incident thresholds, competent authorities must determine what a significant impact would be in their sectors.  The UK Government has stated that as a minimum, the following parameters will be used: a) the number of users affected by the disruption of the essential service; b) the likely or actual duration of the incident; c) the geographical area affected by the incident. In addition, competent authorities may also use the following optional parameters: (d) the dependency of other sectors on the service provided by the affected entity; and (e) the impact that incidents have, in terms of degree and duration, on economic and societal activities, public safety or national security.  The UK Government has stated that operators must report an incident without undue delay and, where feasible, no later than 72 hours after having become aware of an incident. 

The UK Government proposes to encourage the voluntary reporting of incidents that do not meet the NIS Directive thresholds of a reportable incident, such as:

  1. incidents where operators have to take action to maintain supply, provision, confidentiality or integrity of the service; and
  2. incidents where software/intrusions are found that could potentially disrupt, or allow to be disrupted, the supply, provision, confidentiality or integrity of the service.

Voluntary reporting can be reported to either the competent authority or the National Cyber Security Centre (NCSC). The voluntary reporting of such incidents will not subject operators of essential services to increased liability. However, an operator of essential services will be expected to respond to such incidents as part of their duty to ensure that appropriate risk-management measures are in place to mitigate the impact of any adverse incident. Engagement with the voluntary reporting systems (through NIS or other systems) will be considered as evidence that such measures are in place, in particular when considering the effectiveness of risk management and incident management systems.

A relevant DSP must notify the competent authority, the Information Commissioner's Office (ICO), about any security incident which has a substantial impact on the provision of any of the following digital services (a) online marketplace; (b) online search engine; or (c) cloud computing service. In order to determine whether the impact of a security incident is substantial a relevant DSP must have regard to a set of criteria set out in the draft NIS Regulation which implements the NIS Directive. Additionally the draft Regulation provides that a relevant DSP must also have regard to the following (a) (in so far as the relevant DSP is able to assess), the number of users affected by the incident, and in particular, any users relying on the digital service for the provision of their services; (b) the duration of the incident; and (c) the geographical area affected by the incident; (d) the extent of the disruption to the service provision; and (e) the extent of the impact on economic and societal activities.

It is possible to qualify as an essential operator and as a DSP and those who do will have to comply with reporting requirements in each role.

Sanctions regime

The Government proposes that the penalty regime for the NIS Directive will include a maximum financial penalty of £17m, which will cover all contraventions, such as (for example) failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures. Financial penalties will only be levelled as a last resort where it is assessed appropriate risk mitigation measures were not in place without good reason. In addition, the maximum penalties should be reserved for the most severe cases, , and it is expected that mitigating factors (including steps taken to comply with the NIS Directive, actions taken to remedy any consequences) and sector specific factors will be taken into account by the competent authority when deciding appropriate regulatory response. In the event of any enforcement action by the competent authority, it will notify the operator of impending action, allow the operator an opportunity to make representations, and confirm the final decision and reasoning of the competent authority. Decisions taken by the competent authority will be enforceable by civil proceedings, and appealable through the court system.

It is also proposed that breach of the NIS Directive is cumulative with any GDPR sanction. There may be reason for an operator to be penalised under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts. However, the NIS Regulations will include text which will encourage competent authorities to work with regulators in the event of different regimes applying to determine what approach to take. This will not limit a competent authority’s ability to apply the penalty it feels is appropriate to the circumstances, but will encourage it to factor in other regimes if this is appropriate.

Competent authorities

The UK Government intends to take a multi authority approach to designating competent authorities to supervise each sector regulated by the NIS Directive. Where there are operators that provide essential services to more than one sector, and therefore fall under the remit of more than one competent authority, the relevant competent authorities will be encouraged to cooperate, to ensure that they do not put an unnecessary burden on the operator. However, they will retain responsibility for their jurisdiction.

The NCSC will have a significant supporting role, providing expert advice to competent authorities, publishing guidance and assessment tools to enable them to undertake duties effectively and providing incident response capability to cyber attacks. The Government has stated that there must be a clear separation of powers between the NCSC and competent authorities. Ultimate authority and responsibility for any regulatory decision will lie solely with the competent authority.

A list of proposed competent authorities is included in Annex 2 of the Government Response to Public Consultation from the Department for Digital, Culture, Media and Sport dated January 2018. The list is subject to final confirmation and a definitive list will be included in the NIS Regulations. Proposed competent authorities in Annex 2:

  • Drinking water supply and distribution: In England, Department for Environment, Food and Rural Affairs (Defra) supported by the Drinking Water Inspectorate; In Wales, Welsh Ministers supported by the Drinking Water Inspectorate.
  • Energy- Electricity: In England, Scotland and Wales, the Department for Business, Energy and Industrial Strategy (BEIS) and the Office of Gas and Electricity Markets (Ofgem).
  • Energy- Gas (downstream): In England, Scotland and Wales, the Department for BEIS and Ofgem.
  • Energy- Gas (upstream): In England, Scotland and Wales, the Department for BEIS supported by the Health and Safety Executive.
  • Energy- Oil (downstream and upstream): In England, Scotland and Wales, the Department for BEIS supported by the Health and Safety Executive.
  • Digital Infrastructure: The Office of Communications (Ofcom).
  • Health Sector: In England, the Department of Health, supported by NHS Digita; in Wales, Welsh Ministers.
  • Transport- Air: Department for Transport (DfT), acting jointly with the Civil Aviation Authority (CAA).
  • Transport- Maritime: DfT.
  • Transport- Road: In England and Wales, DfT.
  • Transport-Rail: In England and Wales, DfT.
  • Digital Service Providers: Information Commissioner's Office.

The competent authority in Northern Ireland will be confirmed by the Northern Ireland Government Departments. The Government is working with the Scottish Government to determine the best arrangements for competent authorities in respect of devolved functions in Scotland.

Jurisdictional applications

The territorial scope of the UK's implementing legislation is expected to adopt the position as set out under the NIS Directive. Each Member State has to identify essential operators with an establishment on its territory. The recitals to the Directive clarify that, for the purpose of identifying operators of essential services, establishment in a Member State implies the effective and real exercise of activity through stable arrangements. This means that a Member State can have jurisdiction over an essential operator not only in cases where the operator has its head office on its territory but also in cases where the operator has a branch (or other type of legal establishment). As such, several Member States could have jurisdiction over the same entity.

Where a DPS is established in the EU, it will be subject to the jurisdiction of the Member State where it has its main establishment (i.e. head office). Where a DSP is not established in the EU but offers digital services into the EU, it must designate a representative in the Union. In that case, the Member State where the representative is established will have jurisdiction over the company.

Remarks (if any)

“The UK Cyber Security Strategy” was published on 1 November 2016, which sets out how the UK will address cyber security challenges over the next five years. The UK Government is working closely with the Devolved Administrations on the strategy’s application to Scotland, Wales and Northern Ireland. The UK Government considers its strategy is amongst the most comprehensive cyber strategies within the EU and believes that it addresses most of the requirements of the Directive. Those requirements that are not covered by the current strategy can be addressed through a NIS specific addendum to the strategy.

Last reviewed 03.05.2018