NIS2 and Local Authorities: What UK Councils Need to Know
The EU's NIS2 Directive, transposed into member state law by October 2024, significantly expands the scope of network and information security obligations across public administration. While the UK operates under its own NIS Regulations following Brexit, the government has signalled alignment with NIS2 principles, and councils with devolved responsibilities or cross-border data flows must understand their obligations carefully.
NIS2 extends essential service obligations to public administration — UK councils should assess their exposure and align controls with NIS2 principles.
NIS2 and UK Local Government
The UK's Network and Information Systems (NIS) Regulations 2018 apply to Operators of Essential Services (OES) and Digital Service Providers. Local authorities providing essential services — waste management, water, critical infrastructure management — may fall within OES scope. The UK government's NIS2-aligned update to the NIS Regulations will extend obligations further. Councils should assess whether their services meet OES thresholds.
Core NIS2 Security Obligations
NIS2 requires entities in scope to implement risk management measures covering:
- Policies on risk analysis and information system security
- Incident handling and crisis management
- Business continuity, backup management, and disaster recovery
- Supply chain security, including vendor risk management
- Security in network and information systems acquisition and development
- Policies and procedures to assess cybersecurity risk management effectiveness
- Basic cyber hygiene practices and cybersecurity training
- Policies on use of cryptography and encryption
Incident Reporting Under NIS2
NIS2 introduces tiered incident reporting: an early warning within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. UK councils should review whether their incident response procedures meet these timelines, and ensure their monitoring capabilities can detect significant incidents promptly.
Preparing for NIS2 Alignment
Councils should treat NIS2 alignment as a governance priority: conduct a gap assessment against the 10 NIS2 security obligation areas, review supply chain contracts for security clauses, ensure senior leadership understand their personal accountability, and develop tested incident response procedures with appropriate notification protocols.
Frequently Asked Questions
Does NIS2 apply directly to UK local authorities?
NIS2 is EU law and does not apply directly to UK organisations post-Brexit. However, UK councils with operations in EU member states, or that provide services to EU-regulated entities, must understand NIS2 requirements. The UK government is updating its own NIS Regulations to reflect NIS2 principles, and the NCSC CAF already aligns closely with NIS2 security obligations.
Which local government services might trigger NIS OES status?
Local authorities providing services that fall within NIS Regulations OES categories — including water and wastewater, transport, and digital infrastructure — may be designated as OES. District councils with responsibility for waste water services and combined authorities with transport functions should seek legal advice on their NIS status.
Assess your council's NIS2 readiness
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.