The Network and Information Systems Regulations 2018: guide for the health sector in England
Updated 27 September 2023
Applies to England
Introduction
Cyber security is an increasingly pivotal enabling factor in everything the health and care system delivers, protecting patient safety and maintaining public trust in services.
The Network and Information Systems Regulations 2018 (NIS Regulations) seek to ensure that organisations providing essential services that we all rely on have the right measures in place to manage risks and protect the network and information systems which support those services.
As such, the NIS Regulations place security duties and reporting requirements on operators of essential services (OESs) and relevant digital service providers (RDSPs). The NIS Regulations are relevant where services are essential for the maintenance of critical societal or economic activities, including healthcare, transport and the supply of electricity and water.
Requirements under the NIS Regulations relate to the network and information systems underlying essential services and cover both:
- cyber risk, which is not limited to malicious actors and cyber attacks and includes accidents and risks arising from legitimate activity
- broader resilience risk, such as external environmental factors or hardware failure
Where OESs and RDSPs do not comply with these requirements, regulatory action can be taken.
Healthcare services are an essential service under the NIS Regulations, with NHS trusts and foundation trusts, integrated care boards (ICBs) and certain independent providers currently designated OESs for healthcare services. The Secretary of State for Health and Social Care (the Secretary of State), acting through the Department of Health and Social Care (DHSC), is responsible for overseeing the operation of the NIS Regulations as they relate to OESs within the health sector in England.
Throughout this guide, ‘DHSC’ and ‘the department’ are used interchangeably to refer to the Department of Health and Social Care.
Who this guide is for
This guide is intended to help designated OESs in the health sector in England comply with the NIS Regulations.
This guide is prepared and published under regulation 3 requirements for the department to prepare and publish guidance and OESs must have regard to it when carrying out their security and incident reporting duties under regulations 10 and 11.
This version supersedes the previous version of the guide published in 2018, which is now no longer valid. The key updates to the guide include:
- how the regulations fit into delivery of the cyber security strategy for health and social care and protecting patient safety
- changes to the NIS Regulations since 2018, including their application to ICBs, and a forward look to likely changes
- governance, reflecting the merger of NHS Digital and NHS England
- how to fulfil the security and incident reporting duties
- the enforcement approach and examples
- how appeals work
The intended audience for this guide within OESs reaches beyond cyber and IT professionals, reflecting the fact that cyber security is not only an IT problem. Chief executive officers, senior information risk officers, chief information officers, chief finance officers (or equivalents) and other board members should be aware of the OES’s obligations, as well as staff working across resilience, incidents, patient safety, risk, workforce, strategy and operations, and finance, commercial and procurement (this is a non-exhaustive list).
Other organisations covered by NIS Regulations, such as RDSPs or OESs in sectors other than the health sector, should look to their own competent authorities for specific guidance.
For urgent cyber security issues that require immediate advice and support, contact the NHS data security helpline on 0300 303 5222.
Guidance for RDSPs
This guide is not intended as guidance for RDSPs, including those operating in the health sector.
The Information Commissioner’s Office (ICO), as the competent authority for RDSPs, has published guidance for RDSPs on its website. An organisation qualifies as an RDSP if it meets all the following criteria:
- it provides one or more of the following digital services in the UK: an online search engine, an online marketplace or a cloud computing service
- its head office is in the UK, or it has nominated a UK representative
- it doesn’t meet the definition of a micro or small enterprise - this definition applies to companies that have fewer than 50 staff and an annual turnover or balance sheet of below €10 million
Background
The NIS Regulations require OESs to take appropriate and proportionate technical and organisational measures to:
- manage risks posed to the security of the network and information systems on which their essential service relies, whereby the measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed
- prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential services, with a view to ensuring the continuity of those services
- report any incident which has an adverse effect on the security of network and information systems and which has a significant impact on the continuity of an essential service that the OES provides, having regard to the number of users affected, the duration of the incident and the geographical area affected. Reports must be submitted via the Data Security and Protection Toolkit (DSPT) without undue delay and, in any event, no later than 72 hours after the OES became aware that a network and information systems incident has occurred
These measures are overseen by competent authorities (or regulators), who issue guidance and have powers to inspect organisations and take enforcement action (including imposing penalties of up to £17 million) where appropriate. The Secretary of State, acting through DHSC, is the competent authority for the health sector in England. References to ‘the department’ throughout this guide refer to DHSC acting on behalf of the Secretary of State.
Cyber strategy and the 5 pillars
The NIS Regulations are a crucial driver of the cyber security strategy for health and social care, which provides a unified approach to engage organisations working in or with health and care in meeting the vision for a cyber resilient sector by 2030, with all OESs in the sector significantly hardened to cyber attack no later than 2030.
The strategy sets direction for the health and care sector across 5 complementary pillars, which will allow organisations to focus their efforts according to their specific risks and needs while keeping a unified sector-wide approach. The 5 pillars are:
-
Focus on the greatest risks and harms, to understand the most critical parts of the health and care sector whose disruption would cause the greatest harm, and ensure they are proportionately protected.
-
Defend as one, to make sure the health and care system understands its interdependencies and takes advantage of its scale with a unified approach to cyber security. This means ensuring the health and care sector benefits from national resources and expertise, employs collective leverage capabilities and keeps to clear and consistent standards.
-
People and culture, to build a health and care system where leaders, cyber professionals and generalist staff understand and are skilled to carry out their roles in relation to cyber security. Growing a profession of cyber experts in health and care will be key to achieving this.
-
Build secure for the future, to embed security into existing and new health and care governance and technology from the very beginning so that cyber security is increasingly applied by default.
-
Exemplary response and recovery, to support every organisation in health and care to be able to minimise the impact and recovery time of a cyber incident when it occurs - both directly and by promoting best practice and building capability.
The strategy also details current and emerging threats, the current state of the health and care sector and recognised challenges, as well as our growing capabilities and next steps.
The NIS Regulations also form part of the government’s National Cyber Strategy 2022 to protect and promote the UK’s interests in and through cyberspace and ensure that the UK continues to be a leading and democratic cyber power. The National Cyber Strategy is designated as the UK’s national strategy for the NIS Regulations.
Compliance as a critical factor for patient safety
In line with the cyber security strategy for health and social care, the NIS Regulations are an important lever for better protecting our services and ensuring we can provide the best care. By focusing on compliance with the NIS Regulations, we aim to:
- protect patient safety and services and improve patient outcomes
- better understand and better manage our greatest risks and harms - the NIS Regulations support the identification of priority areas and help to justify spending on the expansion of organisational capabilities addressing network and information systems’ risk
- minimise the impact of incidents with timely reporting, maximised use of available national services and application of response plans and learnings from rehearsals
- gather and share learnings from regulatory action that will benefit the wider system, as well as inform the development of national services
Updates to the NIS Regulations since 2018
As of 31 January 2020, the UK is no longer part of the European Union (EU). The NIS Regulations were amended to reflect the withdrawal of the UK from the EU. Amendments include the removal of obligations on UK competent authorities to liaise, co-operate and share information with the European Commission and authorities in EU countries, although co-operation and information sharing can still occur where appropriate. These amendments came into force on 31 December 2020[footnote 1].
The Department for Science, Innovation and Technology (DSIT), formerly Digital, Culture, Media and Sport (DCMS) also conducted 2 post-implementation reviews:
- Review of the Network and Information Systems Regulations 2018, published May 2020
- Second Post-Implementation Review of the Network and Information Systems Regulations 2018, published July 2022
These reviews assessed the impact and efficacy of the NIS Regulations as a framework and provided recommendations to the government for future reforms.
The first review (2020) concluded that the NIS Regulations had led to improvements in the security of the network and information systems of OESs and identified areas needing improvement, requiring further policy interventions from the government and amendments to the NIS Regulations.
As a result, the government introduced additional amendments to the NIS Regulations that came into force on 31 December 2020, including (but not limited to):
- clarification on information sharing between regulatory authorities and law authorities
- expansion of the grounds for issuing an information notice to allow competent authorities to establish whether any actions taken by operators led to an incident which affected their network and information systems
- clarification on the enforcement and penalties regime and the introduction of a new mechanism for appeals[footnote 2]
Through the Health and Care Act 2022, ICBs were designated as OESs for the health sector at their statutory launch on 1 July 2022[footnote 3]. Further information is available below (see the section ‘How the NIS Regulations apply to ICBs’).
Forward look
Following its second review, published in 2022, the government ran a public consultation on further proposals to amend the NIS Regulations, with a number of measures to address evolving cyber security threats. This included (but was not limited to) introducing powers to designate critical sectoral dependencies, such as suppliers, as OESs and to regulate those entities, as well as amending the incident reporting thresholds to require reporting of incidents that disrupt or pose a significant risk to the service. DSIT published a government response, including a breakdown of responses and explanation of how these shaped DSIT’s policy development. These updates to the NIS Regulations are expected to be made when Parliamentary time allows.
DHSC will also be undertaking a review of the current incident reporting thresholds, included in the section ‘Fulfilling the incident reporting thresholds’, below.
Governance
The Secretary of State, acting through DHSC, is the competent authority, with responsibilities in relation to the operation of the NIS Regulations within the sector. This includes taking enforcement action where necessary.
The department’s Joint Cyber Unit oversees the NIS Regulations, working closely with other national teams in both NHS England and the department, including those deployed regionally. It works with the support of NHS England’s Cyber Operations team (which operates the NHS data security helpline for reporting urgent cyber security issues). These teams provide technical and operational support to the department and OESs, including producing standards and guidance which may be relevant to the NIS Regulations, monitoring new threats and providing advice, assessments and training to NHS organisations.
The National Cyber Security Centre (NCSC), part of the Government Communications Headquarters, is the computer security incident response team (CSIRT) for the NIS Regulations, supporting the department and OESs by providing advice and technical expertise, as well as monitoring incidents and informing the sector of risks.
Under the NIS Regulations, competent authorities (including DHSC) may share information with each other, relevant law enforcement authorities, the CSIRT and relevant authorities in the EU if sharing that information is necessary for any of the following:
- the purposes of the NIS Regulations or of facilitating the performance of any functions of an enforcement authority
- national security purposes
- purposes related to the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution
Information shared must be limited to information which is relevant and proportionate to the purpose of the information sharing.
How the NIS Regulations apply to the health sector
The health sector is one of multiple sectors considered to require a high level of security of network and information systems. Within the health sector, healthcare services are considered to be essential services for the purposes of the NIS Regulations, and, as such, ICBs and certain healthcare providers specified in schedule 2 of the NIS Regulations are deemed to be designated as OESs. Other healthcare providers are separately designated as OESs by the Secretary of State under regulation 8 (where they meet specified criteria). The organisations currently specified in schedule 2 or otherwise designated under regulation 8 are:
- NHS trusts and foundation trusts
- ICBs
- certain independent providers of healthcare services
When carrying out their duties under the NIS Regulations, OESs must have regard to any relevant guidance issued by the Secretary of State (acting through DHSC). This includes:
- this guide
- any other guidance published by the department that is relevant to the NIS Regulations
The Secretary of State may designate other organisations as OESs if they meet the criteria set out in the NIS Regulations. Organisations this applies to will be notified in writing. The department also undertakes a review of OES designations at least biennially.
While not all health and care organisations are in scope for the NIS Regulations, all organisations with access to NHS patient data and NHS systems are held to high standards that reflect the sensitivity of data and criticality of network and information systems in health and care.
Any public body, or other person making arrangements with a public body, exercising functions in connection with the provision of health services or of adult social care in England is required to provide information about their data security to NHS England. This should be done by completing and publishing Data Security and Protection Toolkit (DSPT) assessments in accordance with the DAPB0086: Data Security and Protection Toolkit information standard published under section 250 of the Health and Social Care Act 2012. This is to provide assurance that they are practising good data security and that personal information is handled correctly. Additionally, completion of the DSPT is a contractual requirement specified in the NHS Standard Contract.
The DSPT incorporates a broad range of data security and data protection requirements, including the National Data Guardian’s 10 data security standards, the NIS Regulations security duties and the UK General Data Protection Regulation (UK GDPR). All organisations in the health and care sector must also comply with the requirements of the UK GDPR. There are different categories set for organisations completing the DSPT - category one is the highest and now covers all OESs, including the independent providers who are designated under regulation 8(3).
As part of the DSPT category one requirements, organisations are asked to use and comply with the requirements of the Respond to an NHS cyber alert service and have a nominated member in the Cyber Associates Network.
How the NIS Regulations apply to ICBs
Any service provided by an ICB (including the making of arrangements for the provision of services by others) is deemed to be an essential service. An ICB’s obligations under the NIS Regulations are therefore relevant to all the services they provide, including any services they provide which are outsourced to a third party.
Section 1I of the National Health Service Act 2006 (NHS Act 2006) establishes the ICB function of arranging for the provision of services for the purposes of the health service in England in accordance with the NHS Act 2006, which includes duties and powers set out in sections 3 and 3A of the NHS Act 2006 to arrange the provision of specified health services and facilities such as hospital accommodation and ambulance services. Further guidance on ICB functions is available at Integrated care systems: guidance. References to ‘integrated care systems’ (ICSs) in this guide refer to partnerships of organisations that come together to plan and deliver joined up health and care services, and to improve the lives of people who live in their area.
The NIS Regulations therefore apply to any services provided by the ICB and the underlying network and information systems, including for its role across the ICS, such as those supporting (list indicative not exhaustive):
- the running of the ICB itself - such as its HR and payroll services and internal communication channels
- the ICB’s role across the ICS in managing budget and allocating resources - such as its accounting and invoicing services
- the ICB’s role across the ICS in commissioning and procuring services and managing contracts - such as its contracting services, third party management systems, communication channels to contracted third parties such as email and management of business continuity planning with contracted third parties, noting that third parties which are not themselves regulated OESs will not be subject to the security and reporting duties under NIS Regulations but the ICB should make these third parties aware of the ICB’s obligations and take steps to ensure appropriate measures are in place
- the ICB’s role across the ICS in planning and arranging services and tracking performance and quality - such as its programme management and governance and quality arrangements
- the ICB’s role across the ICS in providing services supporting integration - such as its emergency preparedness, resilience and response, electronic patient records, shared care records, system control centre and referral support centre services
Where the ICB outsources their services to third parties, similarly the ICB should make these third parties aware of the ICB’s obligations and take steps to ensure appropriate measures are in place.
Case study example: NHS continuing healthcare (CHC)
Continuing healthcare (CHC) is a package of healthcare which is arranged and funded by ICBs for adults who have been assessed as having a primary health need. ICBs are responsible and accountable for NHS CHC in most cases. The ICB’s network and information systems security and reporting duties apply to the ICB’s responsibilities in arranging and funding CHC, including, for example:
- making decisions on eligibility, and establishing and maintaining governance arrangements for CHC eligibility processes
- commissioning CHC, for example with NHS trusts and foundation trusts which are also themselves designated OESs or local authorities which are not currently designated OESs
The network and information systems security and reporting duties apply equally to the NHS trust or foundation trust, regarding its role in providing CHC. When working with other organisations delivering CHC, the ICB should ensure mechanisms are established for these organisations to notify the ICB if problems affecting their network and information systems may adversely impact the provision by the ICB of its own services.
OES responsibilities
Fulfilling the security duties
OESs should take informed, risk-balanced decisions about how they meet their security duties as set out in the NIS Regulations. OESs should record, manage and periodically review risks in relation to the network and information systems underlying their services, including risks to the supply chain. This should include measures to prevent and minimise the impact of incidents.
They must also identify broader resilience risks to their network and information systems, such as flooding, over-heating or power outages, and have appropriate organisational structures, policies and processes in place to manage these.
The DSPT sets out matters in relation to managing risks posed and preventing and minimising the impact of incidents affecting network and information systems, such as back-ups and ensuring software and hardware is supported and up to date. Ongoing self-assessment via the DSPT will support the early identification of critical vulnerabilities and expedite responses, supporting OESs to demonstrate fulfilment of their NIS Regulations’ security duties.
Guidance and resources
DHSC may issue additional guidance to OESs that they must have regard to covering specific risks or practices, such as the multi-factor authentication policy (also available on NHS England’s website).
The following guidance and resources may also be helpful for OESs:
- DSPT guidance, which is regularly updated on the DSPT website and supported by Toolkit webinars and update events
- NHS England guidance, including:
- NCSC guidance, including:
Over time the assertions and evidence items in the DSPT will be updated to increase alignment with the Cyber Assessment Framework. This is in line with the government cyber security strategy: 2022 to 2030 which sets out that adoption of the Cyber Assessment Framework across government will help build a foundation of organisation-level resilience and facilitate alignment of frameworks, ensuring consistency of reporting on risk levels.
Understanding and addressing network and information systems risk
Identifying, assessing and prioritising risk is fundamental to an OES’s ability to make risk-based decisions regarding security and resilience. With increasingly digitised, connected and transformed services, we expect OESs to maintain an up-to-date awareness of the network and information systems underpinning the delivery of their essential services and to identify, understand and address both direct and indirect risks to the security of those systems.
Although DHSC does not currently mandate a specific risk management methodology, OESs should ensure effective risk management, and in turn prevent and minimise the impact of incidents, by:
- having a clear, logical and demonstrable methodology for assessing the potential impact of disruption to specific services they provide, commission or procure and specific network and information systems underpinning those services
- ensuring these assessments also extend to services beyond the direct provision of care by the OES, but where nonetheless partial or non-availability over a period could impact the delivery of the provision of direct care, such as sterilisation services which are critical to performing surgery
- involving key stakeholders and ensuring appropriate board level sign off of risks, undertaking routine reviews as well as reviews in response to changes such as to technical infrastructure and physical locations
- making informed decisions about potential impacts to the network and information systems supporting their essential services, including accounting for worst-case scenarios - this includes identifying risks, and appropriate and proportionate measures must be taken to ensure disruption to their essential services are minimised
- considering and accounting for risk that crosses organisational boundaries, establishing both their own responsibilities and their dependencies on services owned by other organisations
- ensuring that where there are dependencies or outsourced services, OESs make all parties aware of the duties and take steps to ensure appropriate measures are in place to address risk
Ultimately, organisations (including OESs) are responsible for their own risk.
The department is committed to using a proportionate approach to determining whether security duties have been met, recognising an OES will no doubt need to make difficult decisions around the prioritisation of different risk mitigations and closures. Further information is available below in the section ‘Enforcement’.
While systems directly supporting the provision of care, such as the ability to access medical records or imagery, should be prioritised, services supporting the running of the healthcare setting, such as finance, payroll, catering and parking, should also be addressed as part of the OES’ risk management processes.
Fulfilling the incident reporting duties
OESs must report any incident that has a significant impact on the continuity of the essential service the OES provides. An incident is defined in the regulations as any event having an actual adverse effect on the security of the network and information systems. This includes incidents that significantly impact third party suppliers on which OESs rely to provide their essential services.
Network and information systems incidents must be reported via the DSPT incident notification tool without undue delay, and in any event no later than 72 hours after the OES became aware of the network and information systems incident. The DSPT provides the incident reporting mechanism for the information that must be provided to DHSC for network and information systems incidents. OESs should make the formal report on suspected network and information systems incidents via the DSPT at the earliest opportunity, even where there are gaps in the information currently available. The department may follow up with OESs to confirm further detail on incidents and impact.
In order to determine the significance of the impact of an incident, an OES must have regard to all of the following factors:
- the number of users affected by the disruption of the essential service
- the duration of the incident
- the geographical area affected by the incident
The current thresholds set for the health sector definition of significant impact, for the purposes of the NIS Regulations, are available below in table 1. These thresholds will remain under review and any changes will be communicated to OESs.
During incident management, and as part of the process of post-incident reviews, OESs should compare the known impact of incidents with the thresholds in table 1. There may be some incidents where the impact is only later judged as meeting the network and information systems incident thresholds, for example following a clinical harm review - equally, these incidents must be reported via the formal DSPT route no later than 72 hours after the OES became aware of this assessment.
Table 1: network and information systems incident thresholds
Incident category | Criteria for incident threshold | Type of OES the incident category applies to | Rationale |
---|---|---|---|
Excess fatalities | Greater than 0 excess fatalities | All | Public safety |
Excess casualties | Greater than 0 excess casualties | All | Public safety |
Potential clinical harm | Greater than 50 patients at risk of potential clinical harm | All | Public safety |
Closure or diversion of emergency departments – major trauma centre | Greater than 3 hours | Trust – major trauma centre | 10% of population, 3 hours |
Closure or diversion of emergency departments – all other organisations | Greater than 24 hours | Trust or independent provider – non major trauma centre | City, 1% of population, 24 hours |
Outpatient appointments cancelled | 1,500 | Trust or independent provider | City, 1% of population, 12 hours |
Inpatient episodes cancelled | 250 | Trust or independent provider | City, 1% of population, 12 hours |
Lack of availability of NHS111 services | Greater than 3 hours | NHS111 services | Region, 4% of population, 3 hours |
Disruption to NHS emergency ambulance services | (a) Greater than or equal to 85% service degradation for greater than or equal to 15 minutes (b) Greater than or equal to 30% degradation for greater than or equal to 35 minutes (c) Greater than or equal to 5% for greater than or equal to 4 hours |
Ambulance | Ambulance quality indicators |
Non-availability of drugs and/or medical devices | Greater than 24 hours | Trust or independent provider | City, 1% of population, 24 hours |
Community care appointments cancelled | 1,500 | Trust or independent provider | City, 1% of population, 12 hours |
Table 1 notes:
-
‘Excess fatalities’ relates to unexpected or additional fatalities caused by the impact of a network and information systems event. This category covers excess fatalities that occur immediately as a direct result of the relevant event.
-
‘Excess casualties’ relates to unexpected or additional casualties caused by harm that is attributable to the impact of a network and information systems event. This category covers excess casualties that occur immediately as a direct result of the relevant event.
-
The ‘potential clinical harm’ threshold reflects the fact that disruption to essential health services creates the risk of clinical harm to patients, and this is something that should be considered in notification of incidents under network and information systems on patient safety grounds. The figure refers to the number of patients put at risk of clinical harm immediately as a direct result of the relevant event.
-
For the category ‘lack of availability of NHS111 services’, this may include call handling operation and/or interfacing services.
Useful guidance is available online through the DSPT on incident reporting under the NIS Regulations (and UK GDPR), including the downloadable Guide to the Notification of Data Security and Protection Incidents.
Impacts to a network and information system that have non-malicious or broader resilience causes, for example failures in software or hardware, interruptions to power supplies or natural disasters, are also in scope if the impact of the incident meets the reporting thresholds in table 1.
If an incident affects more than one OES
Should an incident meeting the NIS Regulations’ thresholds affect multiple OESs, all impacted OESs are required separately to report the incident via the DSPT.
If there has been a personal data breach
All organisations with access to NHS patient data and systems, regardless of whether they are in scope of the NIS Regulations, are required under UK GDPR to report personal data breaches and this should be done through the DSPT incident reporting tool which also notifies the ICO. This includes personal data breaches relating to network and information systems. A network and information systems incident that disrupts the delivery of health and care, or compromises the confidentiality of health and care data, is likely to risk the rights and freedoms of individuals.
UK GDPR establishes that when a security incident takes place organisations should quickly establish whether a personal breach has occurred and, if so, to promptly take steps to address it as explained in the DSPT guidance and ICO guidance. Therefore, such incidents should be reported through the DSPT in line with UK GDPR requirements even where there is not a requirement to report the incident under the NIS Regulations.
Emergency preparedness, resilience and response
The NHS needs to be able to plan for and respond to a wide range of incidents and emergencies which could affect health or patient care. This is underpinned by legislation contained in the Civil Contingencies Act 2004, the NHS Act 2006 and the Health and Care Act 2022. Further information is available in the NHS Emergency Preparedness, Resilience and Response Framework.
For urgent cyber security issues that require immediate advice and support, contact the NHS data security helpline on 0300 303 5222.
Even if an incident is not expected to meet the NIS Regulations threshold or if it is unclear whether the thresholds will be met, OESs should seek support voluntarily from the NHS data security helpline as soon as practically possible so that the incident can be contained and further impacts on essential services mitigated.
Where appropriate, NHS Cyber Operations will work with NCSC to manage and resolve incidents.
Oversight
Monitoring compliance
DHSC is responsible for overseeing the operation of the NIS Regulations in the health sector in England. The department collects information to assess compliance by issuing information notices under the regulations (see below) and otherwise monitors compliance through information collected by NHS England, such as through the DSPT, as well as other nationally provided tools and assessments or audits. NHS England requires all DSPT category one organisations to complete a DSPT independent assessment or audit to the required mandatory scope and framework annually.
OESs are encouraged to make use of nationally provided tools and assessments such as (but not limited to) central Cyber Security Operations Centre monitoring where offered and enforcement action may be taken regarding uptake in certain instances.
Enforcement
Under the NIS Regulations, the Secretary of State has powers to take enforcement action with respect to an OES and its security and reporting duties, including:
- issuing an information notice to require an OES to provide information
- conducting an inspection
- issuing an enforcement notice to require action to address failings
- issuing a penalty notice levying a financial penalty up to specified amounts, including a maximum penalty of up to £17 million for a material contravention creating significant risks to, or impact on, the service provision
Case study example: unsupported systems
Data indicates that an OES is carrying a high degree of cyber risk with a high number of unsupported systems. The department asks for assurance that the risk is being appropriately managed through evidence of a plan to manage the risk. The department follows up regularly to ensure the risk continues to be managed down. The documentation provided does not provide sufficient detail upon which to base assurance, so the department, on behalf of the Secretary of State, issues an information notice to the OES setting out the information that is required via the submission of an improvement plan to upgrade from an unsupported system by a given deadline. An enforcement notice may later be used to seek to ensure the improvement plan is fulfilled. To note, this example is illustrative rather than exhaustive regarding available regulatory and non-regulatory levers.
The department is committed to promoting a ‘just culture’ around cyber security across the health and care system, supporting a culture of fairness, openness and learning when addressing identified cyber vulnerabilities, events or attacks so that staff feel confident to speak up rather than fearing blame. NHS England’s A just culture guide supports conversations between managers when identifying support or intervention required for a staff member involved in a patient safety incident and may support understanding and adoption of a just culture. This may be a useful tool for OESs when supporting staff to fulfil the organisation’s security and incident reporting duties.
While the department will consider what action is proportionate, we intend to use the full range of enforcement powers where we consider it appropriate. The department intends to require action via enforcement powers:
- after clearly communicating expectations and allowing appropriate time for steps to be taken
- with consideration of wider security expectations we set for OESs
The department intends to use its power to inspect in one or more of the following situations:
- where wider cyber security programmes such as the DSPT, nationally provided tools and assessments or audits, including those delivered by NHS England, are unable to obtain sufficient information
- in response to a specific concern
- as part of post-event investigations
Penalty notices would normally only be used as a final resort.
In the past, the department has taken enforcement action via the NIS Regulations to seek assurance on:
- management of unsupported systems risk
- mitigation of vulnerabilities in response to a high severity alert
- commitment to participate in centrally resourced on-site assessments
- commitment to participate in centrally resourced backup reviews
- implementation of specific controls requested in response to heightened threats
- response to incidents
Further information on enforcement action is included in Annex A.
Appeals
If an OES disagrees with network and information systems regulatory action undertaken by the department and the issue cannot be resolved between the OES and the department, an OES may appeal to the First-tier Tribunal against one or more of the following decisions of the Secretary of State to:
- designate that person as an OES
- revoke the designation of that person as an OES
- serve an enforcement notice on that OES
- serve a penalty notice on that OES
The OES may appeal on one or more of the following grounds:
- that the decision was based on a material error as to the facts
- that any of the procedural requirements under the NIS Regulations in relation to the decision have not been complied with and the interests of the OES have been substantially prejudiced by the non-compliance
- that the decision was wrong in law
- that there was some other material irrationality, including unreasonableness or lack of proportionality which has substantially prejudiced the interests of the OES
An OES may lodge an appeal within 28 days of the date on which the relevant decision or notice was received. The tribunal may accept a notice of appeal outside this time limit under certain circumstances. Further information is available online via published guidance on Electronic communications, postal services, and network and information systems: appeal a notice or decision.
The First-tier Tribunal may, until it has determined the appeal, and unless the appeal is withdrawn, suspend the effects of the whole or part of any of the decision which the OES is appealing. If an enforcement notice is not suspended in whole or part by the First-tier Tribunal, then it (or relevant parts of it) remain in force and can be enforced.
Where the tribunal quashes the whole or part of a decision that relates to an appeal, it must remit the matter back to the competent authority (DHSC) with a direction to that authority to reconsider the matter and make a new decision having regard to the ruling of the tribunal - the department must have regard to this direction. If the department makes a new decision, this will be considered final.
The appeal process is governed by the General Regulatory Chamber tribunal procedure rules, which set out the procedural rules for proceedings before the First-tier Tribunal, including by when and how an OES should appeal and how hearings are conducted.
Enforcement by civil proceedings
Where the Secretary of State has reasonable grounds to believe that an OES has failed to comply with the requirements of an enforcement notice, the Secretary of State can bring civil proceedings against the OES for:
- an injunction to enforce the duty to comply with an enforcement notice
- specific performance of a statutory duty (under section 45 of the Court of Session Act 1988)
- any other appropriate remedy or relief
Contacts
For urgent cyber security issues that require immediate advice and guidance, call the NHS data security helpline on 0300 303 5222 (available 24 hours per day).
For formal incident reporting under the NIS Regulations and UK GDPR, use the Data Security and Protection Toolkit (DSPT).
For questions about the application of the NIS Regulations or this guide, email nis.authority@dhsc.gov.uk.
For general NHS Cyber Operations queries, email cybersecurity@nhs.net.
Annex A: network and information systems notices data
Since 2018 (up to 15 August 2023), DHSC has issued:
- 58 notices on unsupported systems (54 information notices and 4 enforcement notices)
- 71 information notices on remediation of vulnerabilities in response to high severity alerts
- 4 information notices on implementation of on-site assessments
- 2 information notices on implementation of back up reviews
- 5 information notices on implementation of specific controls requested in response to heightened threats
- 2 notices on response to an incident (1 information notice and 1 enforcement notice)
We have also issued further information notices to require information to support designation decisions.