What are the NIS Directive and the NIS Regulations?

The Network and Information Systems Directive has been designed to improve the cybersecurity and resilience of network and information systems across the EU. It was transposed into UK law through the Network and Information Systems Regulations 2018 and was amended in 2021 to reflect the UK’s status as a non-EU country. The NIS regulations require certain organisations take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems, and to report significant incidents to the NCSC in the UK.

Who is obligated to comply with the regulations?

The regulations apply to operators of essential services (OES) and digital service providers (DSPs) that are based in the UK.

The NCSC defines OES as entities that are essential for the maintenance of critical societal and/or economic activities that rely heavily on network and information systems. They can include organisations in energy, transport, health, banking, and digital infrastructure. For DSPs, the NCSC guidance defines a digital service provider as ‘an organisation providing cloud computing services, online marketplaces, and search engines.’

In the event of a breach, or non-compliance with the regulations, the NCSC has the power to investigate and take enforcement action against the offending organisation. The NCSC may choose to issue enforcement notices requiring an organisation to take specific actions to remedy any breach of the regulations or levy financial penalties of up to £17m, or 4% of global turnover, as well as publicly naming and shaming those organisations that breach the regulations.
What are the requirements?

The specific requirements set out by the NCSC for complying with the directive include:

  • Security measures
  • Incident reporting
  • Identification of critical systems
  • Risk management
  • Cooperation with the NCSC
  • Record-keeping

Our NIS Directive support service at a glance…

We’ll identify where you do and don’t comply with the directive, and provide you with easy to follow remediation tasks.

We can offer hands-on technical and governance support in remediating to comply with the NIS Directive.

We have a range of support documentation including Policies and Procedures which we can tailor to your organisation’s needs.

Development of key IT and IG policies and procedures that meet the requirements of the standard.

Talk to a specialist now – call 01748 905 002.


Evolve North works across a wide range of differing industries throughout the UK and Europe in both public, private and voluntary sectors.