NIS2 Directive

What NIS2 requires

NIS2 imposes four core obligations on organisations within scope:

• Risk management measures – implement technical, operational, and organisational measures proportionate to the risk, covering incident handling, supply chain security, encryption, and access control
• Incident reporting – notify the relevant national authority within 24 hours of becoming aware of a significant incident, with a full report within 72 hours
• Corporate accountability – management bodies must approve and oversee cybersecurity risk management measures, with personal liability for non-compliance
• Supply chain security – assess and manage cybersecurity risks from direct suppliers and service providers

Penalties for non-compliance are substantial. Essential entities face fines of up to 10 million euros or 2% of global annual turnover. Important entities face up to 7 million euros or 1.4% of turnover.

Sectors in scope

NIS2 expands coverage from the original seven sectors to 18, divided into two categories:

Essential entities: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Important entities: postal and courier services, waste management, chemicals, food production, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, and digital providers (online marketplaces, search engines, social networking platforms).

NIS2 and the UK

The UK is not bound by NIS2 following Brexit. The UK retains its own NIS Regulations 2018, which transposed the original NIS Directive. However, the UK government has signalled intentions to update these regulations, and any revision is expected to align with NIS2’s expanded scope.

UK organisations are affected by NIS2 in practice if they provide services to EU-based essential or important entities, they operate subsidiaries or branches within the EU, or they form part of the supply chain for EU organisations in scope. In these cases, EU clients and partners will require evidence of NIS2-aligned security measures as a condition of doing business.

Cyberfort Group and NIS2

We support organisations navigating both UK NIS Regulations and EU NIS2 requirements. Our cyber security review service assesses your current security posture against NIS2’s risk management requirements and identifies gaps in incident reporting, supply chain security, and governance. As one of 24 NCSC Assured Cyber Security Consultancies in the UK, we bring regulatory and technical expertise to cross-border compliance challenges. [Learn more about our cyber security review →](/services/cyber-security-review/)

Related terms

• NCSC CAF – the UK’s Cyber Assessment Framework, used for NIS Regulation compliance assessments
• ISO 42001 – AI management system standard, increasingly relevant alongside NIS2 for digital infrastructure
• DORA – the EU’s Digital Operational Resilience Act, a sector-specific regulation complementing NIS2 for financial services

External references

• Wikipedia: Network and Information Security Directive – background and legislative history
• EUR-Lex: Directive (EU) 2022/2555 – full legislative text
• ENISA: NIS2 Directive – implementation guidance from the EU Agency for Cybersecurity
• Wikidata: Q114310978 – canonical entity identifier

Frequently asked questions