On May 10, 2018, the new regulations on the Security of Network and Information Systems came in to force in the UK. The new regulation is called the Network and Information Systems Regulations 2018 – the NIS regime.
The NIS follows the adoption of the EU Cybersecurity Directive according to which “Operators of essential services” (OESs) and “relevant digital services providers” (RDSPs) in the EU must have appropriate and proportionate cyber security measures in place and report cyber security incidents to regulators.
The NIS regime is directed to UK operators in electricity, transport, water, energy, health and digital infrastructure. The regulations cover threats affecting IT, such as cyber treats, power failures, hardware failures and environmental hazards.
The UK regulators have a number of powers including the ability to impose sanctions for non-compliance as follows:
- Up to UK £1 million for any contravention that doesn’t cause an “NIS incident” (i.e. for OESs);
- Up to UK £3.4 million for a “material contravention” that could result in a reduction of service provision by the OES or RDSP for a significant period of time;
- Up to UK £8.5 million for a “material contravention” which could result in a disruption of service provision by the OES or RDSP for a significant period of time; and,
- Up to UK £17 million for a “material contravention” which could result in an immediate threat to life or significant adverse impact on the UK economy.
The regulations on the Security of Network and Information Systems is available here.