No more WannaCry! New guide for NHS providers explaining the new cyber regulations

You have been warned – get it wrong and your organisation could be landed with a heavy fine.

New regulations came into force on 10 May 2018 placing security and reporting requirements on ‘operators of essential services’, including in the healthcare sector. In England, NHS healthcare is considered an essential service with NHS Trusts and NHS Foundation Trusts designated as ‘operators of essential services’. The Department of Health and Social Care will be responsible for overseeing the operation of the new regulations within the health and care sector, including taking enforcement action.

The Department’s guide says that the Network and Information Systems Regulations 2018 have been incorporated into their wider approach to implementing the National Data Guardian’s ten data security standards. These data security standards apply to all health and care organisations, as does the General Data Protection Regulation.

However, the NIS Regulations only apply to the provider sector – that said, the guide does state that the Department will also designate other NHS healthcare providers as ‘operators of essential services’ and those organisations will be individually notified.

Fulfilling the security duties as a provider in the health and care sector

Given the sensitivity of health and care data – all health and care organisations must comply with the ten National Data Guardian’s data security standards and the GDPR. NHS Digital has now launched the new Data Security and Protection Toolkit, replacing the previous Information Governance Toolkit, to help keep patient information safe. The new toolkit incorporates the requirement for fulfilling the security duties of the NIS Regulations and the ten data security standards.  

Incident reporting

The incident reporting tool in the toolkit has been designed to meet the requirements for reporting NIS incidents and GDPR breaches. Providers are required to report any network and information systems incident which has a ‘significant impact’ within 72 hours of becoming aware of the incident.

All health and care organisations, regardless of whether they are in scope of the NIS Regulations are required to report GDPR breaches through the toolkit – such as a network and information system incident that disrupts the delivery of health and care or compromises the confidentiality of health and care data, is likely to risk the rights and freedoms of individuals.

Oversight – monitoring compliance and inspections

How will this work? The Department will use information collected by NHS Digital, including through the toolkit and onsite assessments. Inspections will only happen where NHS Digital is unable to obtain sufficient information or in response to a specific concern.

Failure to comply with the NIS security duties, the Department can take regulatory action from issuing an enforcement notice to issuing a penalty notice of up to £17 million.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.