Contact Us

Contact Us

Please get in touch using the form below

I prefer to be contacted by:
View our privacy policy
Learn how open source threat intelligence can be used to defend against cyber-attacks. Join our webinar on August 4th.


Securing essential services

With an increasing number of cyber threats targeting critical infrastructure, the importance of protecting operators of essential services, such as transportation, health, water and energy, has never been greater.

EU Directive 2016/1148, the Directive on the Security of Networks and Information Systems (the NIS Directive or Cyber Security Directive), came into force in July 2016 and was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.

The NIS Directive is designed to improve security and resilience across the European Union by ensuring that operators of essential services and digital services providers have the necessary controls in place to minimise security risk.

NIS Directive Summary

What is the NIS Directive?

The NIS Directive is an EU-wide cyber security directive designed specifically to enhance the resilience of network and information systems. It requires member states to ensure that providers of critical infrastructure and services have appropriate security measures in place to manage cyber risk and maintain continuity. Member states are also required to designate one or more NIS competent authorities (CAs) to help oversee implementation of the Directive.

In the UK, the CAs responsible for enforcing the NIS Regulations include the Secretaries of State for Energy, Transport, Health and the Environment, and various devolved authorities such as the Department of Finance for Northern Ireland and the Welsh and Scottish Ministers.

NIS Application

Who does the NIS Directive apply to?

The UK NIS Regulations apply to:

Operators of Essential Services (OES)

Operators of Essential Services are public or private sector organisations that are dependent upon network and information systems to provide an essential service to society that could be significantly disrupted by a cyber incident. Sectors that fall under this definition include energy, transportation, water and healthcare. Most banking and financial services organisations are exempt from most of the NIS Regulation, as high standards in finance are already enforced by the Bank of England and Financial Conduct Authority.

Relevant Digital Service Providers (RDSP)

Three types of Digital Service Provider are also included in the scope of the NIS Regulations – online marketplaces, online search agencies and cloud computing services (including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) providers. RDSPs that employ fewer than 50 people, have an HQ outside the UK, and/or have an annual turnover of under €10 million are automatically excluded from the scope of the NIS Regulations.


NIS Regulations requirements

Article 14 of the NIS Directive outlines fourteen key principles, split across four top-level objectives. In the UK, the National Cyber Security Centre has released a cyber assessment framework (CAF) to help organisations comply with these principles.

Objective A: Managing security risk

Ensuring that appropriate policies and procedures are in place to understand, assess and systematically manage risks to the networks and information systems that support essential services. Included within NISD Objective A:
- A.1 – Governance
- A.2 – Risk management
- A.3 – Asset management
- A.4 – Supply chain

Objective B: Protecting against cyber attack

Implementing proportionate security measures to protect essential services and systems from cyber-attack. Included within NIS Directive Objective B:
- B.1 – Service protection policies and processes
- B.2 – Identity and access control
- B.3 – Data security
- B.4 – System security
- B.5 – Resilient network and systems
- B.6 – Staff awareness and training

Objective C: Detecting cyber security events

Having capabilities to ensure security measures remain effective and to detect cyber incidents that could affect essential services. Included within NISD Objective C:
- C.1 – Security monitoring
- C.2 – Proactive security event discovery

Objective D: Minimising impact of cyber incidents

Ensuring the ability to minimise the impact of security incidents on essential services. Included within NIS Directive Objective D:
- D.1 – Response and recovery planning
- D.2 – Lessons learned/improvements

Audits & penalties

NIS security audits and penalties for non-compliance

Adherence to each NIS principle is judged on how well a total of 39 outcomes are met. Each outcome is assessed based upon Indicators of Good Practice (IGPs).

OESs will be regularly audited by their relevant competent authority to ensure they are fully compliant with the NIS Regulations, or at the very least, working towards compliance. RDSPs are not audited, but they are subject to investigation following any incident that could indicate non-compliance.

In the UK, non-compliant organisations may be fined up to £17 million. The largest fines will be imposed where an incident results in an immediate threat to life or significant adverse impact on the UK economy.

If an OES or RDSP also falls foul of the GDPR and/or DPA 2018, the organisation could be liable to receive separate sanctions. While the UK government has stated that OESs and DSPs should not be tried for the same offence twice, there may be reason for them to be penalised under different regimes if there are multiple, distinct instances of wrongdoing.

A team of security experts using the latest threat intelligence


How to comply with the NIS Directive
& NIS Regulations

As an award-winning provider of managed security and assessment services, Redscan can help your organisation achieve NIS compliance. Our services enable you to:

About us

Why choose Redscan?

  • A leading UK-based MDR company
  • Red and blue team CREST CSOC expertise
  • High-quality intelligence and actionable outcomes
  • Quick and hassle-free service deployment
  • An agnostic approach to technology selection
  • Avg. >9/10 customer satisfaction, 95% retention rate

Get in touch

Complete the form for a prompt response from our team.

I prefer to be contacted by:
View our privacy policy


Discover our latest content and resources

From the blog
From the blog Case studies Latest news
13th July 2020
‘123456’ still the most popular online password

An analysis of over a billion breached credentials has revealed that one in every 142 people uses the password '123456', increasing their vulnerability to hackers.

7th July 2020
Significant rise in volume and size of fines for data breaches predicted
A new study has suggested that the number and value of fines for data breaches will increase dramatically between now and 2025. This is thought to be because employees have access to more data than ever before.
26th June 2020
One million phishing scams reported to NCSC in just two months
The UK’s National Cyber Security Centre (NCSC) has received one million reports of scam emails since launching its new reporting service in April. More than half of online scams reported were fake cryptocurrency investment lures.