This law matters most for operators in essential services and some digital service providers, but it is also useful context for cyber expectations in supply chains. Businesses should know whether they are in scope, whether customers flow down security obligations and how serious incidents are escalated.
Main laws
United Kingdom Regulation
Network and Information Systems Regulations 2018
The Network and Information Systems Regulations 2018 set UK cyber and incident duties for relevant operators of essential services and...
In forceUnited KingdomPlain-English guide4 practical checks
Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.
Get legal helpStart here
Quick read
- This law matters most for operators in essential services and some digital service providers, but it is also useful context for cyber expectations in supply chains.
- Businesses should know whether they are in scope, whether customers flow down security obligations and how serious incidents are escalated.
Likely relevant if
- Relevant digital service providers
- Suppliers to essential service operators
- Cloud, marketplace and platform businesses
Check first
- Check whether the business is an operator or digital service provider in scope
- Maintain appropriate network and information security measures
- Plan incident detection, escalation and reporting
What this means in practice
Key points
- Cyber compliance is not just an IT ticket when the service is business-critical.
- Customer contracts may impose NIS-style controls even where the law does not apply directly.
- Incident drills are easier than improvising during an outage.
When this law usually matters
Most businesses do not need to memorise the whole law. The useful starting point is to know when it is likely to affect a contract, customer journey, employee process, data flow or company decision.
Key points
- Relevant digital service providers
- Suppliers to essential service operators
- Cloud, marketplace and platform businesses
- Businesses with critical network or information systems
What to check first
Sense check
- Check whether the business is an operator or digital service provider in scope
- Maintain appropriate network and information security measures
- Plan incident detection, escalation and reporting
- Keep customer and regulator communication channels clear
Documents and workflows to review
Key points
- Cyber security policy
- Incident response plan
- Service availability records
- Customer security clauses
- Supplier risk register