What is the Network and Information Systems Regulations 2018?

What is the Network and Information Systems Regulations 2018?

NIS stands for Network and Information Systems, and the 2018 regulations are dedicated to establishing a common level of security for them.

These systems play a vital role in the economy and the NIS Regulations aim to tackle and address the threats posed to them through cyber-attacks, and physical and environmental factors too.

In short, the aim of these regulations is to protect the infrastructure surrounding the country’s vital services and infrastructure including the digital economy.

Why is there a need for NIS?

The magnitude, frequency and impact of security incidents are increasing, with network and information systems becoming the main target for harm.

Although not technically a cyber-security law, the NIS Regulation has been put in place to help minimise security incidents that have a negative and disruptive effect on organisations, businesses and society.

Malicious cyber-attacks and cyber accidents are a serious threat and concern, but it is important to note that these are not the only potential threats to our infrastructure. For example, an interruption to a power station could just as easily be caused by a natural disaster such as flooding as a malicious hacker. The NIS is partly intended to enable organisations to reduce the impact to society with and ensure disruptions from unpredictable, cyber or physical security-related incidents are kept to a minimum.

What organisations does the NIS cover?

The NIS Regulation applies two groups; OES (operators of essential services) and RDSPs (relevant digital service providers).

The ICO is the competent authority for RDSPs and has a range of powers that can enforce NIS which includes issuing fines of up to £17 million.

Is anybody exempt?

Yes, these regulations do not apply small or micro-businesses (less than 50 staff and a turnover of less than £10 million) offering digital services, unless they are a part of a larger group or controlled by larger organisations.

However, regardless of the NIS, if you are processing personal data then you are still covered by the GDPR (General Data Protection Regulation) and Data Protection Act 2018, so please be aware of this regardless of your business size.

It’s important to be in the know regarding which regulations apply to your company.

If you would like to know more about NIS Regulations or GDPR, contact the Griffin House Consultancy team on 01673 885533 and we’ll be happy to help.

Sign up to our eBulletin for the latest developments in data protection, information governance and compliance.