What are the NIS Directive and the NIS Regulations?
The Network and Information Systems Directive has been designed to improve the cybersecurity and resilience of network and information systems across the EU. It was transposed into UK law through the Network and Information Systems Regulations 2018 and was amended in 2021 to reflect the UK’s status as a non-EU country. The NIS regulations require certain organisations take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems, and to report significant incidents to the NCSC in the UK.
Who is obligated to comply with the regulations?
The regulations apply to operators of essential services (OES) and digital service providers (DSPs) that are based in the UK.
The NCSC defines OES as entities that are essential for the maintenance of critical societal and/or economic activities that rely heavily on network and information systems. They can include organisations in energy, transport, health, banking, and digital infrastructure. For DSPs, the NCSC guidance defines a digital service provider as ‘an organisation providing cloud computing services, online marketplaces, and search engines.’
In the event of a breach, or non-compliance with the regulations, the NCSC has the power to investigate and take enforcement action against the offending organisation. The NCSC may choose to issue enforcement notices requiring an organisation to take specific actions to remedy any breach of the regulations or levy financial penalties of up to £17m, or 4% of global turnover, as well as publicly naming and shaming those organisations that breach the regulations.
What are the requirements?
The specific requirements set out by the NCSC for complying with the directive include:
- Security measures
- Incident reporting
- Identification of critical systems
- Risk management
- Cooperation with the NCSC
Our NIS Directive support service at a glance…
We’ll identify where you do and don’t comply with the directive, and provide you with easy to follow remediation tasks.
We can offer hands-on technical and governance support in remediating to comply with the NIS Directive.
We have a range of support documentation including Policies and Procedures which we can tailor to your organisation’s needs.
Development of key IT and IG policies and procedures that meet the requirements of the standard.
Talk to a specialist now – call 01748 905 002.
“Having Evolve North support our board meetings really supported the work we are doing to safeguard our staff and customers”
Head of Operations, European Financial Services.
“Cyber Essentials Plus was essential for us to attain, and the Evolve North team made it possible”
Operations Director, UK Non-Profit
“Given our size, the vDPO service just made sense, as we couldn’t hire this role internally for several years to come”
CTO, UK Marketing Agency
“The Gap Analysis (UK GDPR, ISO 27001 & Cyber Essentials) just made things along clearer and proving our Data Protection roadmap for next 12momths”
Head of IT, Insurance Broker
“We’ve partnered with Evolve North for PCI DSS & ISO7001 support and they’ve always been there when we’ve needed them”
Programme Director, UK Hotel Chain
“They provided clarity across our M365 data and compliance services, our chaotic Microsoft licencing and our complex NHS environment”
Digital & Change Lead, UK NHS Trust
“After pushing through our Cyber Essentials and ISO27001, their quarterly Penetration Testing & Vulnerability scanning just made sense”
CTO, UK Housing Association
“Quick and easy method to get Cyber Essentials. Lots of support when needed”
IT Manager, UK Law Firm
“Just having the annual support days in place, meant we could tackle incidents and third-party onboarding easily”
Director of Tech, UK Hospitality Organisation