NIS2 Directive: a practical guide for UK and EU businesses

What NIS2 is and why it matters

NIS2 (Directive EU 2022/2555) is the EU's updated framework for cybersecurity across critical and important sectors. It replaces the original NIS Directive (2016/1148), which was transposed into UK law as the NIS Regulations 2018 before Brexit. The updated Directive required EU member states to implement it in national law by October 2024.

The Directive matters because it fundamentally changes the scale and character of mandatory cybersecurity regulation in Europe. The original NIS framework covered a relatively narrow set of operators – utilities, transport, health, digital infrastructure – and left considerable discretion to member states on how obligations were applied. NIS2 tightens all of that: more sectors, clearer thresholds, specific security requirements, stricter incident reporting timelines and substantially higher penalties.

For organisations that are in scope, it's not a box-ticking exercise. The Directive requires demonstrable security practices and active incident management, and it places personal liability on senior management for failures to comply.

How NIS2 differs from the original NIS Directive

The original Directive gave member states significant latitude in identifying which organisations were subject to it, and in deciding how obligations translated into national law. That produced inconsistent implementation across the EU and created gaps that NIS2 is explicitly designed to close.

The key changes are:

• Broader sector coverage. NIS2 adds sectors that were not covered before, including postal and courier services, waste management, food production, manufacturing of certain products and a wider range of digital services.
• Clearer size thresholds. Rather than leaving identification of in-scope organisations to member state discretion, NIS2 sets defined thresholds based on employee count and turnover.
• Two-tier structure. The Directive introduces a formal distinction between Essential Entities and Important Entities, with different supervisory approaches for each.
• Specific security measures. Where the original Directive referred broadly to "appropriate and proportionate" security measures, NIS2 specifies ten categories of required measures.
• Stricter incident reporting. Timelines tighten significantly compared to NIS1.
• Higher penalties. Maximum fines increase substantially and are now set at EU level rather than left to member states.
• Management accountability. Senior management can be held personally liable for compliance failures – a significant departure from the original framework.

Which organisations are now in scope

NIS2 divides regulated entities into two tiers.

Essential Entities are larger organisations in sectors considered most critical: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (including internet exchange points, DNS service providers and TLD name registries), ICT service management, public administration and space. Essential Entities are subject to proactive supervision – competent authorities can conduct audits and inspections without waiting for an incident to occur.

Important Entities cover an additional set of sectors: postal and courier services, waste management, manufacture of certain products (chemicals, pharmaceuticals, medical devices, electronics, machinery, motor vehicles and food), digital providers (social media platforms, online marketplaces, search engines) and data centre services. Important Entities face the same security and reporting obligations, but supervision is generally reactive – triggered by incidents or complaints rather than routine inspection.

The size threshold for most sectors is medium enterprise or above: organisations with 50 or more employees, or annual turnover exceeding €10 million. Some sectors – particularly digital infrastructure and public administration – have no size threshold, meaning even smaller organisations may be in scope.

Member states also have discretion to bring additional organisations into scope where they consider them critical, regardless of whether they meet the general thresholds.

Core security requirements under NIS2

The Directive requires in-scope organisations to implement appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. Article 21 sets out ten specific categories:

• Risk analysis and information system security policies
• Incident handling (prevention, detection and response)
• Business continuity and crisis management, including backup management and disaster recovery
• Supply chain security, including relationships with direct suppliers and service providers
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies and procedures on the use of cryptography and, where appropriate, encryption
• Human resources security, access control policies and asset management
• Use of multi-factor authentication, continuous authentication solutions and secured communications where appropriate

The proportionality principle still applies – the Directive doesn't expect identical security postures from a small food manufacturer and a major bank – but it does require a documented, risk-based approach to all ten areas. Senior management must approve these measures and can be held personally liable if appropriate controls are not in place.

Incident reporting obligations

NIS2 introduces a three-stage reporting process for significant incidents, with timelines that are considerably tighter than those under the original Directive:

• Early warning – within 24 hours of becoming aware of a significant incident. This initial notification must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it is likely to have a cross-border impact.
• Incident notification – within 72 hours of becoming aware. This must include an initial assessment of severity, impact and indicators of compromise.
• Final report – within one month of the incident notification. This should include a detailed description of the incident, the type of threat, root cause analysis, cross-border impact and the remediation measures taken.

A "significant incident" is defined as one that causes or is capable of causing severe operational disruption, financial loss or impact to other organisations or individuals. What constitutes "significant" will be further clarified by member state competent authorities and ENISA guidance.

Reports must be made to the national competent authority designated under NIS2 – the specific body varies by sector and member state. Organisations operating across multiple EU member states may need to report to authorities in each relevant jurisdiction.

Supply chain security requirements

One of the most commercially significant aspects of NIS2 is its treatment of supply chain security. The Directive requires in-scope organisations to assess and address cybersecurity risks arising from their relationships with suppliers and service providers – not just their own systems.

In practice this means regulated organisations need to evaluate the security practices of vendors and partners that provide services or systems that could affect their own security posture. That evaluation should cover the overall security practices of the supplier, their vulnerability handling processes, the quality of their products and services, and any evidence of malicious content embedded in their offerings.

The supply chain provision has a direct pull-through effect. If you supply a NIS2-regulated organisation – even if you're not regulated yourself – your customer may impose contractual security requirements on you derived from their own NIS2 obligations. UK businesses supplying EU-regulated entities should expect increased scrutiny of their cybersecurity practices, regardless of whether NIS2 applies to them directly.

Enforcement and penalties

NIS2 sets EU-wide maximum penalty thresholds for the first time, removing the previous member state discretion that led to inconsistent enforcement across the bloc.

For Essential Entities, penalties of up to €10 million or 2% of total worldwide annual turnover apply, whichever is higher. For Important Entities, the equivalent figures are €7 million or 1.4% of global turnover.

Beyond financial penalties, the Directive gives competent authorities powers to issue binding instructions, require the implementation of specific security audits, require public disclosure of non-compliance and, in serious cases, temporarily prohibit individuals from exercising management functions in the regulated organisation.

The personal liability provisions are worth noting specifically. The Directive requires member states to ensure that management bodies of Essential and Important Entities can be held liable for infringements resulting from their failure to comply with NIS2 obligations. Senior leaders cannot treat NIS2 as purely a technical or operational matter.

Implications for UK businesses post-Brexit

The UK is not directly bound by NIS2. Following Brexit, EU directives no longer apply automatically, and the UK maintains its own cybersecurity regulatory framework under the NIS Regulations 2018.

However, NIS2 has significant indirect implications for UK businesses in several situations:

Operating in EU member states. A UK business that provides services or operates infrastructure in the EU may be directly subject to NIS2 if it falls within a covered sector and meets the size thresholds. The Directive applies based on where services are provided, not where the business is headquartered.

Supplying EU-regulated organisations. As discussed under supply chain requirements, UK suppliers to NIS2-regulated entities can expect contractual obligations derived from their customers' NIS2 compliance programmes.

Processing EU personal data. Where UK businesses are already subject to GDPR obligations for EU data subjects, NIS2's cybersecurity requirements represent an additional layer of expectation from EU-side customers and regulators.

On the domestic side, the UK's Cyber Security and Resilience Bill – expected to progress through Parliament during 2025 and 2026 – is taking a broadly similar direction to NIS2: expanding sector coverage, tightening incident reporting requirements and increasing penalties. UK businesses that build NIS2-aligned security practices now are likely to find themselves well placed for the domestic regulatory changes that follow.

The practical starting point for any UK business with EU exposure is a scoping assessment: which EU member states are you active in, which customers or suppliers are NIS2-regulated, and what security obligations flow from those relationships? From there, a gap analysis against the ten security categories in Article 21 will identify where your current practices fall short of what the Directive requires.