The NIS Regulations 2018 provides legal measures to protect essential services by improving the security of the network and information systems that support the continuation of these services. Drinking water supply and distribution has been designated an essential service within Schedule 1 of these Regulations. A water company supplying potable water to more than 200,000 people are classed as Operators of Essential Services (OES). OESs must take appropriate and proportionate measures to manage risks to their network and information systems and to prevent and/or minimise the impact of incidents to those systems.
DWI have been transferred the function to undertake the operational Competent Authority (CA) duties to regulate OESs on behalf of Secretary of State (for England) and the Welsh Government (for Wales).
The National Cyber Security Centre (NCSC) are the Single Point of Contact (SPOC) and Computer Security Incident Response Team (CSIRT) for incidents. Additionally they undertake the Technical Authority function supporting the OES and CA deliver the requirements of the Regulations.
NIS incidents need to be reported to DWI without undue delay and no later than 72 hours of an OES being aware a NIS Incident has occurred. Our NIS Incident Reporting Guidance has been updated in October 2022 and has been emailed to company contacts. This will be made available on DWI’s NIS Resilience Direct area. Please email DWI.NIS@defra.gov.uk if you require access to this guidance.
DWI’s Network and Information Systems Enforcement Policy is outlined in the below PDF.
NIS and SEMD PR24 Guidance is outlined in the below PDF.
The NIS team can be reached at DWI.NIS@defra.gov.uk