Cyber & Resilience
NIS2 Directive Explained — What UK Businesses Need to Know
NIS2 is an EU cybersecurity directive for essential and important entities in covered sectors. It does not automatically apply to every UK business, and the UK did not adopt NIS2 after Brexit. It can still affect UK organisations with EU establishments, covered EU operations, or contractual responsibilities in an EU customer's supply chain.
UK businesses must separate three questions: whether an EU entity is directly in scope, whether UK cyber law applies, and whether a customer contract passes NIS2-related requirements down to suppliers.
What NIS2 covers
The NIS2 Directive expands the EU's cybersecurity framework. Covered sectors include energy, transport, banking, financial-market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste, chemicals, food, manufacturing, digital providers, and research.
Sector alone is not enough. Entity type, size, establishment, national law, and specific exceptions matter. Some critical entities can be covered regardless of size.
Because NIS2 is a directive, each EU member state implements it through national law. Registration, supervision, reporting channels, and penalties therefore need a country-specific check.
Does NIS2 apply directly in the UK?
No. The UK retained its own Network and Information Systems Regulations and is developing separate cyber-security reforms. NIS2 is not itself part of UK law merely because a business operates from Britain.
A UK group may still have an EU subsidiary or establishment covered by a member state's implementing law. Certain digital providers offering services in the EU may face specific establishment or representative rules. A UK supplier may also receive security, incident, audit, and contract requirements from an in-scope EU customer.
Contractual flow-down is not the same as direct regulatory scope. Record which kind of obligation you are dealing with.
What covered organisations must do
National implementation varies, but NIS2's core risk-management areas include:
- Risk analysis and information-system security policies
- Incident handling
- Business continuity, backup, disaster recovery, and crisis management
- Supply-chain security
- Secure acquisition, development, and maintenance
- Vulnerability handling and disclosure
- Testing whether controls work
- Cyber hygiene and training
- Cryptography and encryption where appropriate
- Access control, asset management, and multi-factor authentication
Management bodies must approve and oversee cybersecurity measures and can face accountability under national rules. This makes NIS2 a governance requirement, not just an IT checklist.
Incident reporting
NIS2 establishes a staged reporting model for significant incidents. It includes an early warning within 24 hours after becoming aware, an incident notification within 72 hours, and a final report generally within one month, subject to the directive and national procedures.
Do not wait for an incident to decide who reports. Define thresholds, internal escalation, evidence preservation, regulator contacts, and customer communications before an event.
Supply-chain implications for UK companies
An EU customer must manage risks arising from suppliers and service providers. It may ask a UK supplier for:
- Security policies and independent assurance
- Incident-notification commitments
- Vulnerability and patching processes
- Subprocessor and hosting information
- Business continuity and recovery evidence
- Audit or information rights
These requests can be commercially mandatory even where the supplier is not directly regulated.
NIS2, DORA, and Cyber Essentials
Financial entities may be governed by DORA, which acts as the sector-specific framework for many overlapping ICT-risk matters. UK suppliers should identify which customer and service relationship creates each requirement.
Cyber Essentials is a UK certification scheme built around baseline technical controls. It can provide useful evidence, but certification does not by itself prove NIS2 compliance.
What a UK business should do
Map EU entities, customers, services, and sectors. Ask whether the obligation is direct law, national implementation, or contract. Assign management ownership, compare existing controls with the required risk areas, and test incident reporting.
Keep the resulting policies, tests, contracts, and training in an evidence pack. Run the free audit to identify where NIS2 overlaps with your other technology obligations.
This article provides general information, not legal advice. Confirm national implementation requirements in each relevant EU member state.
Check your NIS2 and technology obligations →
Check my tools →