The Network and Information Systems Regulations (2018) (NISR) quietly came into force on 10 May 2018. If you’re in the energy (electricity and gas), oil and gas, water, transport, healthcare sectors or digital service provider, and missed the NISR news among the GDPR headlines, then you need to get up to speed quickly. That’s because you needed to act by 10 August or risk being non-compliant.
The NISR says operators of essential services (we outline how you can find out if you are one below) had to notify their relevant competent authority (they’re like regulators for NISR) by 10 August 2018.
But what does this really mean?
Schedule 2 of the NISR defines the criteria that qualify services as essential for society and the economy to function. So, you need to consider all the services you offer and decide if any meet those criteria. Some are quite complex and need to be read carefully to make the right decision. For example, NISR applies to airlines which carry more than thirty percent of the annual terminal passengers at any United Kingdom airport which has annual terminal passenger numbers greater than 10 million and more than 10 million total annual terminal passengers across all United Kingdom airports. Bear in mind, the NISR may only apply to some of your services (such as certain oil production installations), so it doesn’t necessarily affect your whole organisation.
The CA has the power to decide if you’re an OES, set sector-specific guidelines for compliance with the NISR, inspect OESs, investigate reportable cyber security incidents and impose penalties for non-compliance. Schedule 1 of the NISR defines who the CA is for each sector covered by the NISR. In most cases, this is the relevant government department, like the Department for Business, Energy and Industrial Strategy for the Energy sector. This could get complicated if you provide services in England and Wales, Scotland, and Northern Ireland as there may be a different CA for the same service. So be sure to check whether you need to inform multiple CAs.
We believe this requirement is mainly in the NISR to help CAs find all the OESs in their sector. While there’s no penalty outlined in the NISR for not notifying the CA, only the CA can say definitively that no sanction will be imposed.
And as you’ll be dealing with a CA more in the future, it can only be a good idea to notify them as soon as possible if you haven't already. Besides, all you need to do is say you believe you’re an OES.
It’s easy to see NISR as just more regulation but, at its core, this is an opportunity for organisations to improve the resilience of essential services, giving confidence to customers.
To help with this and comply with NISR, we have a five-step approach: