The EU Directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving Member States 21 months to embed the Directive into their respective national laws. The government laid new regulations on the Security of Network and Information Systems in the Houses of Parliament on 20th April 2018, and the Directive comes into force on 10th May 2018.
All organisations deemed by the NIS Competent Authorities to be 'Operators of Essential Services' will be affected by the introduction of the Directive. The pages below are intended to assist the Competent Authorities and the OES to meet some of the Directive requirements.
You should work your way through the pages below in sequence. This will give you a picture of overall NIS Directive security requirements and also the best understanding of how to use our guidance. For definitive information on the role that our NIS guidance will play in your sector please consult your NIS Competent Authority.
Notice on NIS Guidance
The National Cyber Security Centre (the NCSC), as the United Kingdom’s national technical authority for information assurance which provides advice and assistance on cyber security in accordance with its functions under the Intelligence Services Act 1994, has provided the cyber security guidance which is set out in the parts of the NCSC website linked from this page. Please contact the NCSC at for more information about this guidance.
The Department of Culture Media and Sport (DCMS) has provided the non-cyber elements of guidance for principles A2, B5 and D1 incorporated into NCSC NIS guidance webpages. Please contact email@example.com for more information about the non-cyber guidance provided for these principles.
All NIS guidance is subject to the general terms and conditions of the NCSC website.