The Network and Information Systems Directive (NIS2) stands as a cornerstone of the European Union’s coordinated efforts to strengthen cybersecurity across a diverse range of sectors.
It supersedes and builds upon the first NIS Directive (NIS1), which had been in force since 2018 and which was implemented in the UK. This new Directive adopts a broader scope, imposes tougher obligations, and introduces more harmonised rules among member states to counter emerging cyber threats.
The first thing organisations in the UK might ask is whether this will affect them, and if so, how? Whilst the UK is not required to implement the NIS2 Directive into domestic law, due to Brexit, it will still directly affect any organisation carrying out business within the EU. In addition, the UK is updating its own domestic cybersecurity framework to align with NIS2 principles via the Cyber Security and Resilience Bill, which is expected to come into force later this year. This alignment is intended to ensure smoother operations between the UK and the EU, and strengthen cyber resilience across the board.
We have all seen that the number of high-profile cyber incidents is on the rise, and have seen the impact of those affecting critical infrastructure in the public sector - there is plenty within these two pieces of legislation to act as a call to arms for UK organisations.
Scope and Rationale
Reflecting the increased risks to national security and economic output from cyber related incidents, NIS2 applies to a wider range of organisations than NIS1, classifying them as either “Essential” or “Important” according to (i) the sector in which they operate, (ii) their size, and (iii) the nature of the services or activities they provide in the EU.
Entities are drawn from “Sectors of High Criticality” under Annex I (e.g. energy, transport, banking, health, digital infrastructure, and public administration) and “Other Critical Sectors” under Annex II (e.g. manufacturing, digital providers, research, and certain areas of food production). NIS2 focuses mainly on medium-sized and large entities, generally excluding most micro and small enterprises unless specific criteria indicate particular societal or economic importance.
NIS2’s overarching aim is to bolster cyber resilience by mandating cohesive standards for incident reporting, risk management, and accountability across the EU. It stresses the need to ensure that cybersecurity today goes beyond a review of the direct activities of an organisation, and extends into its supply chain. This broader sweep is intended to address vulnerabilities that may arise from third-party service providers and other interlinked networks.
Essential vs Important Entities
Under NIS2, entities are categorised based on the potential impact of disruptions to their services:
- Essential Entities operate in sectors considered “Highly Critical” under Annex I, such as energy, health, banking, drinking water, transport, digital infrastructure, ICT service management, and others. They tend to be large organisations whose operational continuity is crucial for public safety and societal stability.
- Important Entities consist of those that do not meet the threshold for “essential” yet still play a significant role in the broader cybersecurity ecosystem, including entities listed in Annex II (e.g. other manufacturing sectors, digital providers, research). These also include some that fall under Annex I but are not classified as large.
Although both categories must comply with similar “core obligations” regarding cybersecurity risk-management measures and incident reporting, Essential entities face a stricter supervisory regime and higher potential penalties. By contrast, Important entities are subject to “ex post supervision,” meaning that while they remain accountable, enforcement usually occurs only after evidence of non-compliance arises.
|
Essential Entities |
Important Entities |
|
|
Sector |
Annex I (“Sectors of High Criticality”), typically large operators |
Annex II (“Other Critical Sectors”) or smaller organisations under Annex I |
|
Supervision |
Both proactive and reactive measures. Inspections, audits, and potential suspension of activities for non-compliance may apply |
Primarily reactive regulation. Supervision is triggered where there is an indication of an infringement |
|
Penalties |
Penalties Up to €10 million or 2% of worldwide annual turnover (whichever is higher) Up to €7 million or 1.4% of worldwide annual turnover (whichever is higher) |
Up to €7 million or 1.4% of worldwide annual turnover (whichever is higher) |
Member states must maintain a regularly updated list of Essential and Important entities. As such, all relevant businesses operating across multiple member states must submit detailed information to the competent authorites in each member state, including their name, contact details, relevant sector and the member states where they provide their services.
Key Obligations and Requirements
Cybersecurity Risk Management
NIS2 entities must implement rigorous technical, operational, and organisational measures to handle the risks affecting the network and information systems they employ. This includes consistent re-evaluation of security practices and targeted efforts to identify supply chain vulnerabilities. Organisations are encouraged to adopt a risk-based approach, facilitated by governance frameworks involving senior management.
Incident Reporting
A defining feature of NIS2 is the strict requirement to report significant cybersecurity incidents within 24 hours of detection. Further information and follow-up must be provided within 72 hours, culminating in a more comprehensive report within one month. These timelines aim at speedy coordination among authorities and organisations, seeking to limit the spread or impact of cyberattacks.
Governance and Accountability
One of NIS2’s key requirements is the focus on top-level management accountability. Senior leadership must be directly engaged in cybersecurity oversight, ensuring they receive suitable training and remain informed about relevant risks. Negligence or breach may expose board members to personal liability.
Similarly, in the UK, and outside of the Cyber Security and Resilience Bill, the Government has recently introduced the Cyber Governance Code of Practice, focused on the same aim of ensuring senior management buy-in and oversight of cyber risk management.
Enforcement and Penalties
NIS2 bolsters enforcement powers for national regulators, enabling them to oversee compliance through inspections, targeted audits, and, where necessary, suspension of certifications and services; fines can also be levied upon entities in breach of their obligations.
For Essential Entities, the maximum sanction is €10 million or 2% of worldwide annual turnover, while Important Entities face a maximum of €7 million or 1.4% of worldwide annual turnover.
Broader Implications and UK Perspective
Despite the UK’s withdrawal from the EU, NIS2 can still impact UK-based organisations if they provide services or carry out activities in any Member State. Within the UK, the original NIS framework (NIS1) continues to apply, though an updated domestic version is anticipated later in 2025. Consequently, UK businesses operating across borders must align with both NIS1 and the new EU measures under NIS2, where relevant.
How can organisations ensure compliance?
Ensuring compliance with the NIS2 framework calls for a structured and proactive approach. Organisations should begin by carrying out a thorough gap analysis of their existing cybersecurity policies and technical measures, contrasting those with NIS2’s expanded obligations to identify any shortfalls. On the back of that assessment, a robust governance strategy ought to be implemented, embedding accountability for cybersecurity at board level, offering continuous training to senior managers, and establishing written procedures that reinforce clear oversight and risk management.
In parallel, recent news stories demonstrate once again how vital it is to develop and refine incident-response plans and reporting mechanisms. This is fundamental to managing cyber risk. For those covered by NIS2, incident response will need to meet even more stringent timeframes, highlighted above, which require an initial notification within 24 hours of detection, with further reports at the 72 hour and 1 month mark. If the right processes are not in place, then many organisations may fall foul of these requirements at the first hurdle. Formalising a timeline and understanding the steps that need to be taken to respond to and report incidents helps ensure consistency and clarity across the organisation.
Supply-chain weaknesses continue to amplify risk for organisations, and effective due diligence of suppliers and sub-contractors is a cornerstone of NIS2 compliance. Organisations should review, and where necessary, update supplier contracts to guarantee alignment with NIS2 requirements. Furthermore, in scenarios where activities stretch across different EU Member States, preparing cross-border compliance strategies is essential. This may entail designating an in-country representative, establishing additional reporting methods, or adopting local cybersecurity standards.
Throughout this process, consulting with legal and cybersecurity professionals offers valuable insights on implementing NIS2 practically. By taking these steps, organisations can position themselves to meet NIS2’s expectations, respond efficiently and effectively to risk and reduce the likelihood of enforcement measures.
In summary
The NIS2 Directive ushers in a more unified and comprehensive cybersecurity landscape throughout the EU. By broadening its scope, tightening its reporting obligations, and imposing heavier responsibilities on senior management, NIS2 aims to ensure that Europe’s rapidly evolving digital infrastructure is both secure and resilient. Whether deemed “Essential” or “Important,” organisations must proactively bolster their cybersecurity governance, risk management, and incident response strategies to avert cyber threats and maintain business continuity.
For those who fall outside of the NIS2 regime, there is lots that can be learned from the legislation and a thorough review of cyber risk management within your business can be leveraged to enhance value and trust.
If you would like support in understanding whether your organisation is in scope for NIS2, or to understand how to build on current risk management frameworks to ensure compliance, please get in touch.
