Main laws

United Kingdom Regulation

Network and Information Systems Regulations 2018

The Network and Information Systems Regulations 2018 set UK cyber and incident duties for relevant operators of essential services and...

In forceUnited KingdomPlain-English guide4 practical checks

Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.

Get legal help

Start here

Quick read

  • This law matters most for operators in essential services and some digital service providers, but it is also useful context for cyber expectations in supply chains.
  • Businesses should know whether they are in scope, whether customers flow down security obligations and how serious incidents are escalated.

Likely relevant if

  • Relevant digital service providers
  • Suppliers to essential service operators
  • Cloud, marketplace and platform businesses

Check first

  • Check whether the business is an operator or digital service provider in scope
  • Maintain appropriate network and information security measures
  • Plan incident detection, escalation and reporting

What this means in practice

This law matters most for operators in essential services and some digital service providers, but it is also useful context for cyber expectations in supply chains. Businesses should know whether they are in scope, whether customers flow down security obligations and how serious incidents are escalated.

Key points

  • Cyber compliance is not just an IT ticket when the service is business-critical.
  • Customer contracts may impose NIS-style controls even where the law does not apply directly.
  • Incident drills are easier than improvising during an outage.

When this law usually matters

Most businesses do not need to memorise the whole law. The useful starting point is to know when it is likely to affect a contract, customer journey, employee process, data flow or company decision.

Key points

  • Relevant digital service providers
  • Suppliers to essential service operators
  • Cloud, marketplace and platform businesses
  • Businesses with critical network or information systems

What to check first

Sense check

  • Check whether the business is an operator or digital service provider in scope
  • Maintain appropriate network and information security measures
  • Plan incident detection, escalation and reporting
  • Keep customer and regulator communication channels clear

Documents and workflows to review

Key points

  • Cyber security policy
  • Incident response plan
  • Service availability records
  • Customer security clauses
  • Supplier risk register

Related topics

How Sprintlaw can help