Laws & RegulationsUK NIS Regulations
In Forcecross-sectorS.I. 2018/506
Network and Information Systems (NIS) Regulations 2018
Also known as: UK NIS Regulations
The UK NIS Regulations 2018 implemented the EU's original NIS Directive into UK law before Brexit. They require operators of essential services and digital service providers to implement appropriate security measures and report significant incidents. The UK is now developing the Cyber Security and Resilience Bill to replace and strengthen these regulations.
Jurisdiction
United Kingdom
Regulator
National Cyber Security Centre
Effective
5/10/2018
Sector
cross-sector
Full Text / Summary
The UK NIS Regulations apply to operators of essential services (OES) in energy, transport, health, water, and digital infrastructure, and to relevant digital service providers (RDSP). OES are identified by competent authorities (Ofgem, DfT, DHSC, Defra, DCMS) based on whether they provide a service essential to the economy or society and whether an incident would have significant disruptive effects. The regulations require proportionate security measures based on the CAF (Cyber Assessment Framework) developed by NCSC. The Cyber Security and Resilience Bill, introduced in 2025, will expand scope and strengthen requirements.