These Regulations establish a legal framework to ensure that essential services and selected digital service providers within the UK put in place adequate measures to improve the security of their network and information systems, with a particular focus on those services which if disrupted, could potentially cause significant damage to the UK’s economy, society and individuals’ welfare; and to ensure serious incidents are promptly reported to the competent authorities.
The UK’s modern economy, and the economic security it brings, is based on secure infrastructure. Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity, water, and health services, to the provision of passenger and freight transport. Their reliability and security are essential to economic and societal activity, and the functioning of UK and European markets.
Such systems can be a target for malicious actors that intend to damage or interrupt their operation through cyber attacks. Some systems may also be single points of failure for essential services and may be susceptible to other forms of compromise such as power failures, hardware failures and environmental hazards. Adverse incidents affecting such systems could cause significant damage to the UK economy, impeding economic activity and undermining user confidence, or result in substantial financial losses or a risk to public safety. The magnitude, frequency and impact of network and information system security incidents is increasing.
Therefore, there is a need to therefore improve the security of network and information systems across the UK, with a particular focus on essential services (energy, health, transport, water and digital infrastructure) which if disrupted, could potentially cause significant damage to the UK economy, society and individuals’ welfare.