The Network and Information Systems (NIS) Regulations 2018

1. Introduction

The NIS Regulations 2018 provides legal measures to protect essential services by improving the security of the network and information systems that support the continuation of these services. Drinking water supply and distribution has been designated an essential service within Schedule 1 of these Regulations.

2. Roles and Responsibilities under the NIS Regulations

Within the water sector, there are a number of different roles in order to deliver the NIS Regulations. These roles are fully outlined in the Roles and Responsibilities Guidance (PDF 311KB) however, below is a brief overview.

Competent Authorities

Oversight and enforcement of the NIS Regulations is the responsibility of the designated Competent Authority (CA). CA’s have the sole authority and responsibility for all regulatory decisions in relation to the NIS Regulations.

Whilst the Secretary of State (for England) and the Welsh Government (for Wales) are the designated competent authorities for the water sector, operational responsibilities of the competent authority function have been conferred to the DWI.

Operators of Essential Service

Under Schedule 2 of the Regulations, water companies supplying potable water to 200,000 or more people are automatically designated an Operator of Essential Service (OES). An OES must take appropriate and proportionate measures to manage risks to their network and information systems and to prevent and/or minimise the impact of incidents to those systems.

National Cyber Security Centre

The National Cyber Security Centre (NCSC) undertake the duties of the Single Point of Contact (SPOC) and the Computer Security Incident Response Team (CSIRT).

The NCSC is also the national technical authority and will be supporting OES and Competent Authorities in delivering the requirements of the Regulations.

3. Guidance on Implementing the NIS Regulations

One of the roles of the Component Authority is to prepare and publish guidance (regulation 3(3)) to its respective sector. OES must have regard to this guidance when carrying out their duties under regulation 10.

The subpages contain information and documents related to Incident Reporting and the Cyber Assessment Framework (CAF)

DWI will issue further Guidance Documents on Inspections (Audits) and it’s NIS Enforcement Policy by Dec 2018. This will complete the current set of NIS Guidance.


Page reviewed: 26 March 2019
Page modified: 26 March 2019

Drinking Water Inspectorate