In our first client alert we set out how the UK Network and Information Systems Regulations 2018 (NIS Regulations) set certain incident notification obligations on operators of essential services (OES) and digital service providers (DSPs) to ensure compliance and manage security risk.  

OES were required to register with the designated Competent Authority (CA) for their sector by 10 August 2018. DSPs have until 1 November 2018 to register with the ICO.    

Sector-led guidance on the implementation of the NIS Directive  

CAs are required to issue guidance outlining how they will regulate their sector, including their approach to enforcement and incident reporting. So far, various CAs have issued sector-led guidance including interim guidance in respect of the digital sector below:  


The Office of Communications (Ofcom) interim guidance:

  • identifies the three categories of deemed OES as set out in paragraph 10 of Schedule 2 to the NIS Regulations. These are: Top Level Domain Name Registries; Domain Name Service Providers; and Internet Exchange Point Operators
  • sets out Ofcom's initial views on the immediate steps OES in the digital infrastructure subsector are expected to take, as a minimum, to meet their obligations under the NIS Regulations
  • provides information about which types of operators must comply with NIS Regulations
  • sets out the process and thresholds for reporting relevant security incidents that such operators must initially follow
  • introduces Ofcom's intended initial enforcement approach

CAs in other sectors who have issued guidance can be viewed in the detailed client alert here.