Open Nav

UK Government launches consultation on implementing NIS Directive

The UK Government has launched a consultation on its plans to implement the Security of Network and Information Systems Directive (“NIS Directive”). The NIS Directive was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to transpose the Directive into domestic legislation. The Government has emphasised that it supports the overall aim of the NIS Directive and that its intention is that this legislation will continue to apply in the UK even after the UK has left the EU.

The NIS Directive imposes obligations on two groups of businesses: “operators of essential services” and digital service providers. However, it does not affect network providers as they are already subject to similar obligations in the UK under Section 105 of the Communications Act 2003.

Under the Directive, operators of essential services including those in the energy, transport, water, healthcare and digital infrastructure sectors will have to take “appropriate and proportionate” security measures to manage the risks to their network and information systems. Operators of essential services will also be required to notify serious incidents to the relevant authority.

Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and incident notification requirements established under the Directive.

Organisations who fall in scope of the Directive will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after an event, with the capability to respond and restore systems. The Government has stated that “any operator who takes cyber security seriously should already have such measures in place.”

Organisations who fail to implement effective security measures could be fined as much as £17 million or 4 per cent of global turnover. The Government has said, however, that fines would be a last resort, and will not apply to operators that have “assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.”

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

The consultation closes on 30 September 2017.

For more information, see: Consultation on the Security of Network and Information Systems Directive

< Go Back

Latest News

9th October 2025

LINX Accra – Ghana’s New Internet Exchange Point, Ready for Business

By Lynsey Buckingham

The London Internet Exchange (LINX) is proud to announce that their new interconnection point in Ghana is now ready...

Read More
7th October 2025

LINX Deploys OpenBGPD on LON1

By Tom Lloyd-Roberts

LINX is delighted to announce the successful deployment of OpenBGPD on our LON1 route-servers. A milestone that completes the...

Read More
6th October 2025

25 x 400GE Port Count Milestone Across Global Network Achieved

By Lynsey Buckingham

The London Internet Exchange (LINX) achieved a major milestone, successfully deploying their 25th 400GE port across their global network,...

Read More
Email
Call