The implementation of the NIS Regulations has many key stakeholders. The diagram below highlights these and below is a brief explanation on the role played by each.
The Role of UK government
The Department for Science, Innovation and Technology (DSIT) is the lead UK department responsible for the NIS Regulations and coordinates activities between the various NIS Competent Authorities across England, Scotland, Wales and Northern Ireland, as well as engaging with NCSC/GCHQ.
Regulated Sectors
The NIS Regulations 2018 cover a number of sectors. This includes:
- Energy sector (electricity, gas and oil)
- Transport sector (road, rail, water and air)
- Health sector
- Drinking water supply and distribution
- Digital infrastructure
Digital Services
There is another collection of service providers included within the regulations that do not belong to a particular sector, but are classed as Relevant Digital Service Providers (RDSPs) and are included in part 4 of the NIS regulations. These would include organisations that provide digital services such as an online marketplace, search engines or cloud computing services.
The Competent Authorities
Oversight and enforcement of the NIS Regulations is the responsibility of the designated NIS Competent Authority. These can be found in schedule 1 of the NIS Regulations.
The UK Government decided that a multiple NIS Competent Authority approach was appropriate, with each NIS Competent Authority having a detailed understanding of the individual sector/region and the associated challenges. NIS Competent Authorities have therefore been designated for sectors and regions covered by the NIS Regulations. The following NIS Competent Authorities (CAs) have been designated for services that operate in Northern Ireland or at a UK level encompassing responsibilities for Northern Ireland.
Department of Finance (DoF)
CA for Operators of Essential Services (OES) in Northern Ireland.
The Department of Finance (DoF) is a designated NIS Competent Authority and regulates Operators of Essential Services within Northern Ireland in the discharge of their duties under the Network and Information Systems Regulations 2018; in the following sectors: energy (electricity, oil and gas); transport (rail and road); health; and drinking water supply and distribution.
Information Commissioner Office (ICO)
UK Level CA for Relevant Digital Service Providers (RDSP)
The Information Commissioner is designated at a UK level for organisations defined as relevant digital service providers (RDSPs). A RDSP would provide services such as online marketplaces, online search engines and cloud computing services.
Office of Communications (Ofcom)
UK Level CA for Digital Infrastructure Services
Office of Communications (Ofcom) are designated at a UK level as the NIS Competent Authority for Digital Infrastructure which are specific kinds of services such as top-level domain registration services, Domain Name System (DNS) services and Internet Exchange point (IXP) services.
Civil Aviation Authority (CAA)
UK Level CA for Air Transport
The Secretary of State for Transport and Civil Aviation Authority (act jointly) for the air transport sector across the UK. This subsector includes passenger airports, en-route air traffic control services, provision of services by air carriers that meet the thresholds defined in Schedule 2 of the Network and Information Systems Regulations 2018.
Secretary of State for Transport
UK Level CA for Water Transport
The Secretary of State for Transport is responsible for the water transport sector across the UK. This subsector includes shipping in the UK for freight and passenger services subject to meeting the thresholds set out in Schedule 2 of the Network and Information Systems Regulations 2018.
Where the Secretary of State for Transport is the NIS Competent Authority, the Cyber Compliance Team (CCT) in the Department for Transport will be responsible for carrying out the roles and responsibilities of the competent authority on behalf of the Secretary of State for Transport.
Operators of Essential Services
An organisation is deemed an Operator of Essential Service (OES) under the NIS regulation 2018 if it relies on network and information systems to deliver its essential service and meet certain criteria set out in schedule 2 of the Network and Information Systems Regulations 2018. The Department of Finance, as the NIS Competent Authority, may designate other Operators of Essential Services where certain conditions (which are set out in the legislation) are met.
The criteria for identification of an Operator of Essential Services is:
- It delivers an essential service as set out in schedule 2 of the Regulations; where an “Essential Service” means a service which is essential for the maintenance of critical societal or economic activities;
- The service relies on network and information systems; and
- The service satisfies a threshold requirement for that essential service as set out in Schedule 2 of the regulations.
If an organisation meets the above criteria, it is deemed to be designated under the legislation and must notify the designated NIS Competent Authority.
If an organisation meets criteria 1 & 2 above, the relevant NIS Competent Authority may still designate them as an Operator of Essential Service even if the organisation does not meet the threshold requirement. This will be done if the NIS Competent Authority concludes that any incident affecting the essential service is likely to have a significant disruptive effect and the organisation will be informed of its designation in writing.
An OES has responsibilities to protect the information systems that the essential service relies on and to report an incident to the NIS Competent Authority where that causes a significant impact to the continuity of the service.