The ‘Network and Information Systems Regulations 2018’ (NIS) came into force on 10 May 2018.
Legislative requirements, including the UK General Data Protection Regulation (UK GDPR), require all public sector organisations to ensure appropriate technical protections are in place when suppliers process personal data on our behalf. The NIS Regulations intend to address the threats posed to network and information systems and aim to ensure that essential service sectors have robust cyber security in place and improve the functioning of the digital economy.
(Note that data loss falls under the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018).
The NIS Regulations require that a Competent Authority for Health is in place. To meet this requirement, Scottish Ministers are considered to be the Competent Authority for Health in Scotland, as such they have a regulatory responsibility for oversight and enforcement of the NIS Regulations.
All NHS Scotland health boards are considered to be Operators of Essential Services and therefore must comply with the standards set out in the NIS Regulations. Standards cover managing security risk, defending systems against cyber-attack, detecting cyber security events and minimising the impact of cyber security incidents.
The functions of the Scottish Health Competent Authority (SHCA) are:
Provide support, training and guidance on compliance requirements
Deliver regulatory responsibility for compliance monitoring, oversight and enforcement of the NIS Regulations
Issue penalties for non-compliance.
We have produced a range of support material to aid compliance with the NIS Regulations, such as guidance publications and template reporting forms. The documents are developed on an ongoing basis. We welcome feedback and comments to inform future versions.
You can contact us by email at HealthCA@gov.scot
The National Cyber Security Centre (NCSC) are the UK’s independent authority on cyber security. Further information regarding NIS can be located on their site: