Skip to content

Share

  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
PA OPINION

The NISR - did you meet the 10 August deadline?

The Network and Information Systems Regulations (2018) (NISR) quietly came into force on 10 May 2018. If you’re in the energy (electricity and gas), oil and gas, water, transport, healthcare sectors or digital service provider, and missed the NISR news among the GDPR headlines, then you need to get up to speed quickly. That’s because you needed to act by 10 August or risk being non-compliant.

The NISR says operators of essential services (we outline how you can find out if you are one below) had to notify their relevant competent authority (they’re like regulators for NISR) by 10 August 2018.

But what does this really mean?

Am I an operator of essential services (OES)?

Schedule 2 of the NISR defines the criteria that qualify services as essential for society and the economy to function. So, you need to consider all the services you offer and decide if any meet those criteria. Some are quite complex and need to be read carefully to make the right decision. For example, NISR applies to airlines which carry more than thirty percent of the annual terminal passengers at any United Kingdom airport which has annual terminal passenger numbers greater than 10 million and more than 10 million total annual terminal passengers across all United Kingdom airports. Bear in mind, the NISR may only apply to some of your services (such as certain oil production installations), so it doesn’t necessarily affect your whole organisation.

Who and what is the competent authority (CA)?

The CA has the power to decide if you’re an OES, set sector-specific guidelines for compliance with the NISR, inspect OESs, investigate reportable cyber security incidents and impose penalties for non-compliance. Schedule 1 of the NISR defines who the CA is for each sector covered by the NISR. In most cases, this is the relevant government department, like the Department for Business, Energy and Industrial Strategy for the Energy sector. This could get complicated if you provide services in England and Wales, Scotland, and Northern Ireland as there may be a different CA for the same service. So be sure to check whether you need to inform multiple CAs.

Will you get penalised if you didn’t meet the 10 August 2018?

We believe this requirement is mainly in the NISR to help CAs find all the OESs in their sector. While there’s no penalty outlined in the NISR for not notifying the CA, only the CA can say definitively that no sanction will be imposed.

And as you’ll be dealing with a CA more in the future, it can only be a good idea to notify them as soon as possible if you haven't already. Besides, all you need to do is say you believe you’re an OES.

It’s easy to see NISR as just more regulation but, at its core, this is an opportunity for organisations to improve the resilience of essential services, giving confidence to customers.

To help with this and comply with NISR, we have a five-step approach:

  • identify what services and systems are in-scope
  • assess the current state of cyber security against the NIS requirements
  • design and implement an improvement programme to fill any gaps
  • establish and rehearse the ability identify, evaluate and report incidents
  • assure management that the organisation complies with NISR.

Contact the author

Contact the cyber security and digital trust team

Adam Stringer

Adam Stringer

Cate Pye

Cate Pye

Elliot Rose

Elliot Rose

Justin Lowe

Justin Lowe

Laura Marsden

Laura Marsden

Sharad Patel

Sharad Patel

Carl Nightingale

Carl Nightingale