What Is NIS2?
The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity regulation, replacing the original NIS Directive from 2016. It came into force across EU member states in October 2024. NIS2 dramatically expands the scope of regulated entities, introduces stricter security requirements, mandates 24-hour incident reporting, and imposes penalties of up to 10 million euros or 2% of global annual turnover — whichever is higher. It applies to organisations in 18 critical sectors including energy, transport, healthcare, digital infrastructure, ICT service management, and public administration.
Does NIS2 Apply to UK Businesses?
The UK is no longer bound by EU directives post-Brexit. However, NIS2 applies to any organisation that provides services within the EU, regardless of where it is headquartered. If your UK business provides digital services, managed IT services, cloud infrastructure, or operates in any of the 18 NIS2 sectors within the EU, you are in scope. The UK has its own NIS Regulations (2018) and is developing the Cyber Security and Resilience Bill, expected in 2026, which is widely anticipated to align with NIS2 standards. Preparing for NIS2 effectively prepares you for the UK's forthcoming requirements.
Key NIS2 Requirements
NIS2 mandates a risk-based approach to cybersecurity with minimum requirements covering: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, network and information system acquisition and development security, and policies for assessing the effectiveness of cybersecurity measures. The 24-hour early warning requirement is particularly demanding — organisations must notify their national CSIRT within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours.
- Risk analysis and security policies mandatory
- 24-hour early warning to national CSIRT for significant incidents
- Full incident notification within 72 hours
- Supply chain security assessments required
- Management body personal liability for non-compliance
- Penalties up to EUR 10 million or 2% of global turnover
How to Prepare: A Practical Approach
Start by determining whether your organisation is classified as "essential" or "important" under NIS2 — the requirements differ. Conduct a gap analysis against the NIS2 minimum security requirements. Implement continuous monitoring rather than periodic assessments: Hadrian for attack surface management, Panorays for supply chain risk, and BlackFog for data exfiltration prevention all directly address NIS2 obligations. Build your incident response plan to meet the 24-hour notification timeline — this requires automated detection and established escalation procedures. Ensure your board understands that NIS2 introduces personal liability for management bodies that fail to oversee cybersecurity.
Frequently Asked Questions
Does NIS2 apply to UK companies?
NIS2 applies to any organisation providing services within the EU, regardless of headquarters location. If your UK business operates in any of the 18 NIS2 sectors within the EU, you are in scope. The UK is also developing its own aligned regulation through the Cyber Security and Resilience Bill.
What are the NIS2 penalties?
Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. NIS2 also introduces personal liability for management bodies.
What is the NIS2 incident reporting timeline?
Organisations must issue an early warning to their national CSIRT within 24 hours of becoming aware of a significant incident. A full incident notification must follow within 72 hours, and a final report within one month.