What are the NIS Regulations?

The EU Directive on the security of Network and Information Systems (NIS) was introduced to improve the security of critical infrastructure and essential services. The UK Government as decided, as with GDPR, that ‘Brexit’ will not affect its implementation. The NIS Directive was brought into UK law on 10 May 2018, by the The Network and Information Systems Regulations 2018.

All organisations that are considered to be ‘Operators of Essential Services’ are legally required to comply with the Regulations. Essential Services include: electricity; oil; gas; air, maritime, rail, and road transport; water; healthcare; and, digital infrastructure. Operators are regulated by sector-specific ‘Competent Authorities.’

Fines for non-compliance can be as high as £17 million, in addition to those already provided for by the General Data Protection Regulations.

What is the Cyber Assessment Framework?

In support of the UK NIS Directive implementation, the National Cyber Security Centre has developed a systematic method of assessing the extent to which an organisation is adequately managing cyber security risks, when delivering essential services.

The Cyber Assessment Framework (CAF) meets both the NIS Directive requirements, and wider Critical National Infrastructure needs.

Scope Assessment

Identifying the scope of your critical systems is a vital part of compliance with the NIS Directive. Our consultants will help you to correctly identify which systems impact on your provision of essential services, and how these systems are affected by the issues identified by your threat and risk assessment.

Gap Analysis

Our NCSC Certified consultants will conduct an on-site assessment to identify key areas of weakness within your physical, digital, and process infrastructure. They will inspect your security controls, and parry them with the requirements of the Cyber Assessment Framework. At the end of the Gap Analysis, you will receive a report detailing your current strengths and weaknesses, complete with actionable points. This report will provide you with the information you need to fix any identified weaknesses.


We can work with you to fix any issues identified by the Gap Analysis–a process known as remediation. This remediation work puts your organisation in a position to achieve compliance with the NIS Directive. We can help you to implement process, procedure, and technical controls, and document them in a user-friendly manner.

Mock and External Inspection Support

The Network and Information Systems Regulations provide your sector’s Competent Authority with a power of inspection. Our consultancy team can attend your site during an inspection, to support your team, and liaise directly with the inspectors.

We are also able to conduct a mock inspection, led by an NCSC Certified Information Assurance Auditor, providing you with assurance of your systems. A mock inspection is a fantastic way to pre-empt any issue that could occur during an external inspection by your sector’s Competent Authority.

Why Choose Us?

We have a detailed working knowledge of both critical national infrastructure issues, and the NIS Regulations. Our team has conducted threat assessments, and capability audits for aerospace, shipping, and defence. Our security team hold qualifications such as NCSC Certified Information Assurance Auditor, PCI Qualified Security Assessor, ISACA Certified Information Systems Auditor and Certified Information Security Manager, Certified Information Systems Security Professional, and ISO 27001 Lead Auditor and Implementer.