NIS2 vs UK NIS Regulations: scope, obligations, reporting, and penalties explained

  • Will NIS2 apply in the UK?
  • Published by: André Hammer on Apr 03, 2024
Group classes

NIS2 is Directive (EU) 2022/2555, the European Union’s replacement for the original Network and Information Security Directive, designed to raise cybersecurity requirements across a wider set of critical and digital sectors.

NIS2 is an EU directive, not a UK regulation. EU Member States were required to transpose it into national law by 17 October 2024, while the UK continues to operate under the separate Network and Information Systems Regulations 2018 unless and until UK law is changed. That distinction matters because many summaries blur the two regimes, creating confusion for UK organisations that work with EU customers, subsidiaries or supply chains.

Published/updated: 2026. Revision note: this article reflects the NIS2 transposition deadline of 17 October 2024 and the continuing separation between EU NIS2 and the UK NIS Regulations 2018. Organisations should verify local implementing legislation and regulator guidance in each relevant country before making compliance decisions.

What NIS2 is and what it is not

NIS2 is the EU’s updated cybersecurity directive for network and information systems. Its purpose is to improve resilience in sectors whose disruption could affect public services, economic activity, health, safety or digital infrastructure. It does this by expanding the organisations in scope, strengthening risk management requirements, setting incident reporting timelines and giving national authorities clearer supervisory and enforcement powers.

The directive is not a single, directly applied rulebook in the same way as a regulation. Each EU Member State implements NIS2 through national legislation, designates competent authorities and confirms reporting routes, including the relevant CSIRT where applicable. The European Commission, ENISA and national authorities provide useful guidance, but the operational details can differ by country.

The UK position is different. The UK NIS Regulations 2018 remain the domestic framework for relevant UK operators of essential services and digital service providers. UK organisations are not automatically brought under NIS2 simply because the EU adopted it. However, a UK-headquartered organisation may still need to assess NIS2 exposure if it is established in an EU Member State, provides covered services into the EU, operates through an EU subsidiary, or is contractually required by EU customers to meet NIS2-aligned controls.

NIS2 vs UK NIS Regulations 2018

The original UK NIS Regulations implemented the first EU NIS Directive before the UK left the EU. NIS2 is a later EU reform and does not automatically amend UK law. As a result, the two frameworks should be treated as related but separate regimes, with different terminology, scope decisions and enforcement processes.

Under NIS2, the core categories are “essential entities” and “important entities”. Under the UK NIS Regulations 2018, the familiar categories are operators of essential services and relevant digital service providers. Those terms should not be used interchangeably because they come from different legal frameworks and can lead to incorrect scoping assumptions.

From a practical perspective, organisations that operate across both the UK and the EU should build a jurisdiction map rather than rely on a single group-level answer. The useful first questions are whether the organisation is established in an EU Member State or offers covered services there, whether it operates in an Annex I or Annex II sector, whether it meets the size-cap threshold that usually brings medium and larger entities into scope, and whether its sector places it in the essential or important category. That sequence helps separate EU NIS2 exposure from UK NIS 2018 duties.

Who is in scope under NIS2?

NIS2 applies to a broader set of sectors than the original NIS Directive. It covers many organisations in Annex I sectors, such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. It also covers Annex II sectors, including postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research.

The directive generally uses a size-cap rule, meaning medium-sized and larger organisations in covered sectors are commonly within scope. Some entities can be included regardless of size because of the nature of their service, their criticality or a Member State decision. This is why scoping should be performed against the national implementing law in each relevant Member State, not only against a high-level sector list.

The distinction between essential and important entities affects supervision and penalties. Essential entities are generally subject to more proactive supervision, while important entities are more often supervised after evidence of non-compliance. Both categories still need to implement appropriate cybersecurity risk management measures and report significant incidents.

Non-EU organisations need a careful, country-by-country view. A company headquartered outside the EU may be affected where it provides covered services in the EU, has an EU establishment, or falls under rules requiring an EU representative. The safest approach is to map services, customers, legal entities and delivery locations before concluding that NIS2 is irrelevant.

Core obligations under NIS2

NIS2 requires in-scope entities to take appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. In plain terms, this means the organisation must be able to identify risks, protect critical systems, detect incidents, respond effectively and recover services when disruption occurs.

The directive explicitly includes areas such as incident handling, business continuity, supply-chain security, vulnerability handling and disclosure, security in network and information systems acquisition and development, access control, asset management, cyber hygiene, training, cryptography where appropriate, and multi-factor or continuous authentication solutions where relevant. Existing ISO/IEC 27001 programmes often provide a useful foundation, especially for governance, risk assessment and control management, but they still need tailoring for NIS2-specific notification, management accountability and national reporting expectations. Readers building an ISMS alongside NIS2 readiness may find NIS2 Lead Implementer training useful as a structured way to connect directive requirements with implementation work.

Supply-chain security deserves particular attention because it is explicit in NIS2. Organisations must look beyond their own perimeter and assess risks from suppliers, managed service providers, managed security service providers, software vendors and outsourced technology operations. Contracts, assurance evidence, vulnerability disclosure processes and incident notification clauses become part of the compliance picture.

NIS2 also changes the role of senior management. Management bodies must approve cybersecurity risk management measures, oversee implementation and, under the directive, can be required to undergo cybersecurity training. In some cases, national laws may create personal liability or temporary management bans where duties are seriously breached. This moves NIS2 from a technical compliance issue into board governance, risk ownership and executive accountability.

Incident reporting timelines under NIS2

NIS2 introduces a staged reporting process for significant incidents. The first stage is an early warning within 24 hours of becoming aware of a significant incident. This is intended to alert the relevant authority or CSIRT that an incident may have a substantial impact, including whether unlawful or malicious action is suspected and whether cross-border effects are possible.

The second stage is an incident notification within 72 hours of becoming aware of the incident. This should update the initial warning and usually include a more developed assessment of severity, impact and indicators of compromise where available. If the incident is still unfolding, the notification may remain provisional, but it should show that the organisation has assessed the incident and is managing escalation.

The final report is due within one month of the incident notification. It should describe the incident in more detail, including severity, impact, likely root cause, mitigation measures and any cross-border implications. Where an incident is still ongoing at that point, national processes may require a progress report followed by a final report later.

A common readiness gap is the absence of a tested classification scheme that can support the 24-hour early warning. Many organisations can investigate incidents technically, but struggle to decide quickly whether an event is reportable, who starts the clock, who approves the message and which authority must receive it. A practical reporting playbook should define the triage clock start, internal contacts, escalation thresholds and templates for the 24-hour, 72-hour and one-month stages, then rehearse the workflow through tabletop exercises.

Penalties, supervision and management accountability

NIS2 gives Member States stronger enforcement tools than the original directive. Competent authorities can carry out supervision, request information, conduct audits or inspections, issue warnings and binding instructions, order remediation and impose administrative fines. The exact process depends on the national implementing law.

The directive sets maximum administrative fine bands. Member States may set detailed national rules within the directive’s framework, so organisations should confirm the local position in every relevant jurisdiction.

Enforcement is not limited to fines. The management accountability provisions mean boards and senior leaders need evidence that cybersecurity risk is being governed, not merely delegated. Useful evidence includes approved policies, risk registers, incident exercise records, supplier assurance reviews, remediation tracking and training records for management bodies where required by national law.

How organisations should prepare

NIS2 readiness should begin with scoping because the wrong jurisdictional assumption can waste months of effort. An organisation with UK headquarters, an Irish cloud operation, German customers and outsourced managed services may have different obligations in different places. Legal, security, procurement and operations teams should therefore work from the same entity and service map.

After scoping, the practical work is to compare current controls against NIS2 risk management measures and local implementing requirements. ISO/IEC 27001 can help structure the control environment, while incident response practices aligned to standards such as ISO 27035 can support reporting and escalation. Even so, NIS2 requires additional attention to authority notification, management approval, supplier risk and national reporting channels.

Training should be role-specific. Boards need enough understanding to oversee cyber risk and approve measures. Security and IT teams need clear playbooks for detection, escalation and recovery. Procurement and vendor management teams need to understand supply-chain assurance. Organisations building broader capability across governance, risk and incident response may use Unlimited Security Training to support different teams without treating NIS2 as a single-department project.

Financial entities should also consider how NIS2 interacts with sector-specific rules such as the Digital Operational Resilience Act. DORA is separate from NIS2 and has a more targeted financial-sector focus, but both address operational resilience, third-party risk and incident management. A useful comparison is available in this explanation of ISACA training and governance resources, especially where teams are aligning cyber risk, audit and assurance responsibilities.

Acronym glossary

  • NIS: Network and Information Security, used for the original EU directive and UK NIS Regulations 2018.
  • NIS2: Directive (EU) 2022/2555, the EU’s revised cybersecurity directive.
  • CSIRT: Computer Security Incident Response Team, often involved in receiving or coordinating incident reports.
  • Essential entity / important entity: NIS2 categories that influence supervision and penalty levels.
  • DSP/MSP: Digital service provider and managed service provider; terminology and scope depend on the relevant legal framework.

Where to verify requirements

Because NIS2 is implemented through national law, official verification should start with the relevant Member State authority, national CSIRT and the organisation’s legal advisers. The European Commission’s NIS2 pages explain the EU-level policy context, ENISA publishes supporting cybersecurity guidance, and national competent authorities confirm reporting channels and supervisory expectations.

Organisations should avoid assuming that a reporting contact used for GDPR, financial regulation or the UK NIS Regulations is also the correct NIS2 channel. In many cases, incident reporting will involve a national CSIRT or sector authority. The contact list should be maintained before an incident occurs, because searching for the correct regulator during the first 24 hours creates unnecessary risk.

FAQ

What is the NIS2 policy?

NIS2 is the EU’s revised Network and Information Security Directive, formally Directive (EU) 2022/2555. It requires in-scope essential and important entities to manage cybersecurity risk, report significant incidents and meet supervisory requirements under national implementing laws.

Does NIS2 apply in the UK?

NIS2 does not automatically apply in the UK. The UK continues to operate under the UK NIS Regulations 2018. A UK organisation may still need to assess NIS2 if it is established in an EU Member State, offers covered services into the EU, or is required by EU customers or contracts to meet NIS2-aligned obligations.

Who enforces NIS2?

NIS2 is enforced by competent authorities designated by each EU Member State under national implementing law. Reporting may also involve a national CSIRT, depending on the country, sector and incident type.

What are the main reporting deadlines under NIS2?

The main reporting stages are an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours and a final report within one month of the incident notification. Local law and authority guidance may add procedural detail.

What are the penalties for NIS2 non-compliance?

Member States define enforcement processes in national law.

Building a practical NIS2 response

The key takeaway is that NIS2 readiness depends on accurate scoping, tested reporting processes and visible management oversight. Organisations that already operate mature security controls should still check whether their incident classification, supplier assurance and board governance processes meet the directive’s specific expectations.

Readynez provides NIS2 training for teams that need structured preparation, and organisations with questions about the right path can contact Readynez to discuss training options. This should sit alongside legal review, national authority guidance and practical testing of the organisation’s own reporting and response procedures.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}