NIS Directive and NIS Regulations 2018: Ofgem guidance for Operators of Essential Services
This guidance supports Operators of Essential Services with their cyber security provisions under the NIS regulations.
Details
The Network and Information Systems (‘NIS’) Directive transposed into UK law as The Network and Information Systems Regulations 2018 (‘NIS Regulations’), and came into force on 10 May 2018.
This guidance supports Operators of Essential Services to fulfil their regulatory duties and continually manage security and resilience with respect to the network and information systems on which their essential services rely, or which are used for the provision of an essential service.
This guidance supersedes version 2.0.
The guidance contains:
- NIS Guidance for Downstream Gas and Electricity Operators of Essential Services in GB V3.0
- NIS-R Reporting Templates
- NIS Supplementary Guidance and CAF Overlay for DGE Sector
- NIS Security Assurance Guidance (Concept) for Downstream Gas & Electricity
Documents
All updates
14 January 2026 updated NIS Guidance for Downstream Gas and Electricity Operators of Essential Services in GB, published NIS Self-Assessment and Improvement Report Template and NIS Annual Report Template, added Remediation Action Tracker and Assurance Programme Plan.
30 April 2025 published NIS Security Assurance Guidance (Concept) for Downstream Gas & Electricity.
26 May 2023 decision and NIS reporting templates published.
14 February 2023 consultation on revised NIS reporting templates.
1 April 2022 NIS Guidance for Downstream Gas and Electricity Operators of Essential Services in GB, introducing four-part set of NIS reporting requirements and compliance reporting.
30 November 2018 published NIS Guidance for Downstream Gas and Electricity Operators of Essential Services in GB.