The U.K. government this week published a consultation seeking views on its plans to implement the EU’s Network and Information Systems Directive, which is due to come into force in May 2018.

As reliance on technology grows, the impact of system failures and opportunities for cyber-attacks increases. “We need to secure our technology, data, and networks in order to keep our businesses, citizens, and public services protected,” the U.K. government stated. The government said it supports the aims of the directive on Security of Network and Information Systems (NIS Directive) and sets out in its consultation the proposed implementation approach in the United Kingdom.

“The NIS Directive will help make sure U.K. operators in electricity, transport, water, energy, transport, health, and digital infrastructure are prepared to deal with the increasing numbers of cyber threats,” the U.K. government stated. “It will also cover other threats affecting IT—such as power failures, hardware failures, and environmental hazards.”

Steven Hadwin, an associate in the global cyber-security team at Norton Rose Fulbright, says the consultation paper “demonstrates the U.K. government’s support of the spirit, as well as the letter, of the NIS Directive. The U.K. government clearly recognises the need to develop a detailed and coherent national framework around cybersecurity, which will involve oversight from a number of competent national authorities.”

“The principles-based security requirements which the government is proposing to impose on operators of essential services—as well as the detailed reporting requirements and significant penalties regime that it is proposing to implement—make clear that affected organisations should engage with the consultation at this stage and take immediate steps to prepare for the legislation’s introduction next year,” Hadwin adds.  

The open consultation, announced 8 August, seeks views from industry, regulators, and other interested parties on the government’s plans to transpose the Directive into U.K. legislation. It sets out the government’s proposed transposition approach and asks a series of questions on a range of detailed policy issues relating to transposition.

The consultation covers:

Essential services the Directive needs to cover;


Competent authorities to regulate and audit specific sectors;

Security measures we propose to impose;

Timelines for incident reporting; and

How this affects Digital Service Providers.

Responses to the consultation may be made online here, or via the other ways set out in the consultation document. The consultation closes at 11:45pm on 30 September.