Skip to main content
Search

NIS

The Network and Information Systems Regulations (2018) is a regulation to ensure the operational technology which maintains the production of drinking water remains robust and operational, to ensure water is delivered at all times. In England and Wales, the implementation and operational delivery of the NIS Regulations is delegated to the Drinking Water Inspectorate. The strategic purpose is to ensure that water companies deliver the essential service of providing uninterrupted, wholesome water supplies to consumers in England and Wales. 

Water companies serving a population of 200,000 people or more must implement a risk assessment to improve resilience of operational technology, returning the outcome as part of the regulations annually since 2018. 

Between 2023-2024 every water company has been subject to an Inspectorate cyber resilience audit to verify each company’s self-assessed risk assessment. Two companies were issued with legal notices to improve their risk assessments in response to the audits. Every company in England (and Wales) has a regulation 18 notice to address residual cyber risk and their PR24 cyber improvement plans. Ofwat Price Control Deliverables are tied to these notices being met in full. Failure to meet the notice requirements may attract Ofwat penalties in addition to any Inspectorate enforcement. Due to the sensitive nature of cyber resilience in the Water sector, information on sector performance is not published on the public domain. A Ministerial report on Cyber Resilience in the water sector is produced annually. 

Back to top
Print all pages