The NIS Regulations 2018 come into effect on 10 May 2018. The Regulations require Operators of Essential Services (OES) - including NHS Trusts and NHS Foundation Trusts - to take appropriate and proportionate technical and organisational measures to manage risks to the security of the network and maintain continuity of services, and in so doing follow guidance published by or for ‘Competent Authorities’ (which for NHS Trusts and FTs is the Department of Health).

‭Incidents which have a significant impact on continuity of services must be reported within 72 hours. Inspection, enforcement and penalty provisions (including potential fines of up to £17m if an incident results in an immediate threat to life) form part of the regulations.

These Regulations add impetus to the challenges faced by NHS organisations seeking to balance the need to protect their systems, including legacy software, evidenced by the Wannacry attack last year, with constrained budgets.