NIS Compliance In The UK: Key Requirements

If your business provides online services or supports critical infrastructure, you may be wondering whether the UK’s Network and Information Systems (NIS) regime applies to you - and what “NIS compliance” actually involves.

Don’t stress. While the rules are serious (with significant fines for non‑compliance), the day‑to‑day actions to meet NIS duties are manageable with the right plan, documents and processes. This guide explains who NIS applies to, what regulators expect, how NIS overlaps with UK GDPR, and the steps small businesses can take to get compliant and stay that way.

By the end, you’ll know where your business stands and what to put in place to be protected from day one.

What Is NIS Compliance And Does It Apply To My Business?

NIS is the shorthand for the Network and Information Systems Regulations 2018. These UK regulations aim to improve the security and resilience of networks and information systems that are critical to everyday life and the economy.

NIS primarily applies to two groups:

• Operators of Essential Services (OES): Organisations in sectors like energy, transport, health, water and digital infrastructure. OES are designated by sector regulators (“competent authorities”).
• Relevant Digital Service Providers (RDSPs): Online marketplaces, online search engines and cloud computing service providers that meet certain thresholds, and provide services to the UK.

Most small businesses won’t be OES. However, some tech SMEs do fall within the RDSP category - particularly cloud and platform providers once they scale past the micro/ small business thresholds (historically aligned to EU criteria: 50+ staff and >€10m turnover/ balance sheet, with limited exceptions). If you’re unsure, map your services against those RDSP definitions and check whether you meet the size thresholds.

Key point: even if you’re not within NIS, many NIS-style security practices are fast becoming baseline expectations in contracts and due diligence. Building them now helps you win enterprise clients, pass audits and grow with confidence.

What Are The Core NIS Duties?

At a high level, NIS requires in-scope entities to implement “appropriate and proportionate” measures to manage risks to the security of network and information systems, and to minimise the impact of incidents. In practice, regulators expect to see the following:

• Risk management: A documented risk assessment covering your systems, data, dependencies and critical services - and controls matched to those risks.
• Security controls: Technical and organisational measures such as access control, encryption, patching, logging and monitoring, vulnerability management, and secure development practices.
• Business continuity and resilience: Backups, disaster recovery, tested failover arrangements and service continuity planning.
• Incident response: A clear playbook for detecting, containing, investigating and reporting incidents (including when to notify regulators and customers).
• Supplier and supply chain security: Due diligence on vendors, contractual security obligations and ongoing assurance for critical third parties (e.g. hosting, MSPs, SaaS tools).
• Governance, roles and training: Accountable leadership, named security roles, security awareness training and regular reviews.

RDSPs must also notify the ICO (their NIS competent authority) without undue delay for incidents that have a substantial impact - typically within 72 hours of becoming aware. OES have sector-specific reporting timelines to their regulator, often “immediately” or “without undue delay.”

How Does NIS Interact With UK GDPR And Other Laws?

NIS often sits alongside - not instead of - the UK GDPR and the Data Protection Act 2018. If a cyber incident involves personal data, you may need to report under both regimes. Timelines are tight under each (generally 72 hours for personal data breaches to the ICO under UK GDPR, and “without undue delay” under NIS for substantial incidents), so plan to assess and report once, covering both frameworks.

Other intersecting requirements include:

• PECR (Privacy and Electronic Communications Regulations): Rules for cookies and communications security; your public-facing Cookie Policy should align with your technical controls and consent approach.
• Sector standards/ contracts: Clients may mandate ISO 27001 controls, Cyber Essentials Plus, penetration testing or specific incident reporting terms - these often mirror or exceed NIS expectations.
• Computer Misuse and fraud laws: Inform your detection and response practices (e.g. preserving evidence and engaging law enforcement when appropriate).

Bottom line: design your security, incident response and reporting so they meet both NIS and data protection requirements, and make sure your documents and processes consistently reflect what you actually do.

Step-By-Step: A Practical Path To NIS Compliance

1) Confirm Applicability And Register Where Required

• Assess whether you’re an OES (via sector designation) or qualify as an RDSP (online marketplace, search engine or cloud provider above the threshold).
• RDSPs must register with the ICO; OES follow sector regulator processes. Keep your details up to date and understand sector guidance.

2) Map Critical Services, Systems And Data

• Identify the services that are “essential” to your customers and the systems that support them (production environment, identity and access, logging, backups, deployment pipelines).
• Document dependencies: hosting, DNS, DDoS mitigation, CI/CD tools, managed service providers and key SaaS platforms.
• Record what data moves where (including personal data), so you can align NIS and UK GDPR duties.

3) Implement Appropriate And Proportionate Security Controls

• Identity and access: MFA, least privilege, role-based access, joiner-mover-leaver controls, admin account segregation.
• Hardening and patching: Asset inventory, vulnerability scanning, defined patch SLAs, secure configuration baselines.
• Data security: Encryption at rest and in transit, key management, secure secrets handling.
• Monitoring and logging: Centralised logs, alerting for suspicious behaviour, time synchronisation, retention policies.
• Secure development: Code review, dependency management, SAST/DAST, change control, segregated environments.
• Backups and continuity: Regular tested backups, immutable storage for critical data, disaster recovery drills.

4) Strengthen Supplier And Contract Controls

• Risk‑rate suppliers by criticality, do proportionate due diligence (security questionnaires, certifications, breach history) and bake obligations into contracts.
• Use a Data Processing Agreement with processors handling personal data, setting clear security, audit and breach notification duties.
• Where you exchange non‑personal confidential information or shared responsibilities, consider a tailored Data Sharing Agreement from our Data Protection Pack.

5) Build A Joined-Up Incident Response Plan

• Create and test a playbook that integrates NIS incident thresholds, UK GDPR reporting and contractual notification duties.
• Define roles (lead investigator, comms, legal, exec sponsor), internal and external contacts, escalation paths and evidence handling.
• Prepare regulator-ready templates and customer comms. A practical starting point is a tailored Data Breach Response Plan.

6) Document Policies, Train Staff And Prove “Appropriate” Measures

• Adopt and implement an Acceptable Use Policy, access control standards, secure development standards and a security training programme.
• Keep policy and control evidence: risk registers, change records, patch metrics, access reviews, training logs and test results.
• Align customer-facing documents (e.g. your Privacy Policy and Cookie Policy) with what you actually do in practice.

7) Test, Review And Improve

• Run tabletop exercises and technical testing (vulnerability scans, pen tests appropriate to your risk profile) and track remediation.
• Review lessons learned after incidents or near-misses. Update your risk assessment and controls at least annually, or when things change (new systems, acquisitions, major incidents).

What Will Regulators Expect To See In An Audit Or Investigation?

Competent authorities (like the ICO for RDSPs) will look for evidence that your measures are appropriate and proportionate to your risks. Expect questions and sampling across:

• Risk assessment: How you identified critical services and prioritised risks, and whether this is kept current.
• Control implementation: Proof that controls exist and operate effectively (for example, MFA roll‑out, patch timelines, access reviews and logging configuration).
• Incident handling: Detection capability, decision‑making around notification thresholds, timelines and quality of notifications.
• Supplier oversight: Due diligence records, contractual clauses, periodic assurance for high‑risk vendors.
• Governance: Board or leadership engagement, named accountable roles, policy enforcement and staff training.

Think “show, don’t tell.” A policy is useful, but regulators want to see operating evidence and improvement over time.

What Are The Penalties For Non-Compliance With NIS?

NIS has a tiered enforcement regime. Penalties scale with the seriousness of the contravention, up to significant fines for the most serious failures (for instance, failing to implement appropriate measures or to notify substantial incidents can attract very high penalties; historically these have extended up to £17 million for the gravest breaches). Regulators can also issue enforcement notices, require corrective actions and in some sectors conduct on-site inspections.

Separate to NIS, remember UK GDPR and PECR have their own penalty frameworks. If an incident involves personal data, dual exposure is possible. That’s why a joined‑up approach to security and reporting is so important.

Common Mistakes SMEs Make With NIS (And How To Avoid Them)

• Assuming “we’re too small” to be in scope: Some digital services only fall into NIS once a size threshold is met - but clients may still expect NIS‑style controls beforehand. Build good security early so you’re ready when you cross the line.
• Policies on paper, not in practice: Regulators assess operation, not just documentation. Track and evidence that controls are used and reviewed.
• Confusing NIS and UK GDPR reporting: They overlap but are not identical. Your plan should clearly set out when and how to notify under each regime.
• Weak supplier controls: Third‑party outages and compromises drive many incidents. Contract for security, perform proportionate due diligence and assure critical suppliers regularly. Use a robust Data Processing Agreement with processors.
• No incident practice: The first time your team meets shouldn’t be during a live incident. Tabletop your Data Breach Response Plan and fix gaps.

Essential Legal Documents To Support NIS Compliance

NIS is a security regime, but legal documents are critical to make those controls real and enforceable - especially with staff and suppliers. Depending on your services, consider:

• Data protection suite: A tailored Data Protection Pack to align your processing, roles, and documentation with UK GDPR and NIS expectations.
• Processor contracts: A strong Data Processing Agreement to lock in security, sub‑processor controls, audit rights and breach notification timelines.
• Public-facing notices: A compliant Privacy Policy and Cookie Policy that reflect your real practices and tech stack.
• Internal governance: An Acceptable Use Policy, access control standards and security awareness materials that staff actually follow.
• Incident materials: A regulator‑ready Data Breach Response Plan, notification templates and playbooks aligned with your sector timelines.

Avoid generic templates - the right approach depends on your services, risk profile and regulator. It’s wise to get a short Data Protection Consultation so your documents and controls are tailored and defensible.

How Should Small Businesses Prepare For Future Changes?

Cyber threats and regulation evolve. The UK has consulted on reforms to expand and update the NIS framework (for example, to cover more managed service providers and clarify incident thresholds). Even before formal changes land, enterprise clients are already asking smaller suppliers to meet higher security standards.

Practical steps to stay ahead:

• Track regulator updates (ICO and your sector regulator) and update your risk assessment annually.
• Adopt recognised frameworks proportionate to your size (e.g. Cyber Essentials Plus as a baseline; map controls to ISO 27001 as you grow).
• Embed supplier security into procurement and vendor management from day one.
• Keep your legal documents aligned with real-world processes - and refresh them after major changes, audits or incidents.

Key Takeaways

• NIS applies to Operators of Essential Services and to certain Relevant Digital Service Providers (online marketplaces, search engines and cloud providers above size thresholds). If in doubt, assess your services and dependencies early.
• Core duties are “appropriate and proportionate” security, resilience and incident reporting. Regulators will want to see operating evidence - not just policies.
• Design your plans so NIS incident reporting and UK GDPR breach reporting work together. Timelines are tight and requirements overlap.
• Lock down supplier risk with due diligence and contracts. Use a tailored Data Processing Agreement and keep assurance going for critical vendors.
• Put in place practical documents that match what you do: a Privacy Policy, Cookie Policy, Acceptable Use Policy and a tested Data Breach Response Plan.
• Review and improve regularly. Testing, metrics and board‑level oversight are your best defence - and your best evidence - for NIS compliance.

If you’d like help scoping whether NIS applies, tightening your contracts and policies, or building an incident plan that satisfies regulators and clients, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.