UK NIS Regulations 2018 vs EU NIS2 Directive: what security leaders need to know

  • nis 2
  • Published by: André Hammer on Apr 03, 2024
Group classes

The NIS regime is the UK and EU framework designed to improve the security and resilience of network and information systems that support essential services, first introduced in the EU in 2016 and implemented in the UK through domestic law in 2018.

The term “NIS Regulation” is often used loosely, but precision matters. In the UK, the relevant law is the Network and Information Systems Regulations 2018. In the EU, the original NIS Directive has been replaced by Directive (EU) 2022/2555, usually called NIS2. NIS2 is a directive, not a regulation, which means EU Member States implement it through national law.

Why the terminology matters

Confusing the UK NIS Regulations with the EU NIS2 Directive can lead to practical mistakes: reporting to the wrong authority, applying the wrong incident threshold, or assuming that a UK-only compliance position also covers EU operations. Since Brexit, the UK and EU regimes have moved on separate tracks, although they share the same broad policy aim of improving cyber resilience in essential and important services.

The UK NIS Regulations 2018 apply to operators of essential services and relevant digital service providers that fall within UK scope. NIS2 applies across the EU through Member State laws and significantly broadens the range of covered sectors and entities. It can also affect non-EU organisations that provide certain services into the EU, including through requirements to appoint an EU representative where the directive applies.

A simple jurisdiction test is to start with where the service is provided, where the entity is established, and whether the service falls into a covered sector. A UK-only water operator will usually be looking first at the UK NIS Regulations and the relevant UK competent authority. A healthcare provider established in an EU Member State will need to assess the national law implementing NIS2 in that country. A non-EU cloud provider serving hospitals or public bodies in the EU may still have NIS2 obligations even without an EU headquarters.

UK NIS and EU NIS2 side by side

The comparison below gives a practical starting point, but it should not replace legal analysis of the relevant national law or sector guidance. Sector thresholds vary, and competent authorities may publish additional expectations on incident notification, evidence, and supervision.

Comparison of the UK NIS Regulations 2018 and the EU NIS2 Directive, covering scope, reporting, governance and penalties.
Area UK NIS Regulations 2018 EU NIS2 Directive
Legal form UK regulations applying within the UK. EU directive implemented through Member State national laws.
Scope Operators of essential services and relevant digital service providers, subject to sector rules and thresholds. Essential and important entities across a broader set of sectors, including many medium and large organisations in covered areas.
Incident reporting Notification is generally required without undue delay where sector-specific thresholds are met. Early warning is expected within about 24 hours, incident notification within about 72 hours, and a final report around one month after notification.
Governance Focuses on appropriate and proportionate security measures, risk management, and regulator engagement. Introduces stronger management accountability, oversight duties, supply chain security expectations, and evidence of risk governance.
Cross-border effect Primarily UK-focused, though UK organisations may also face EU obligations through EU operations or services. Can apply to certain non-EU providers serving the EU, including through EU representative requirements.

Who is in scope?

The UK regime is built around operators of essential services in sectors such as energy, transport, health, water, and digital infrastructure, alongside relevant digital service providers. The exact outcome depends on the service, sector thresholds, and the competent authority responsible for that sector. An organisation should not assume it is out of scope because cybersecurity is not its main business; the question is whether its service supports a critical function covered by the law.

NIS2 takes a broader approach. It distinguishes between essential entities and important entities and covers sectors that include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, food, chemicals, manufacturing of certain critical products, digital providers, and research organisations. The directive also uses size-based criteria in many areas, although national implementing laws may add important detail.

Suppliers should pay close attention even when they are not directly regulated. A software provider, managed service provider, data centre operator, or specialist maintenance supplier may be asked by a regulated customer to provide security evidence, incident notification commitments, audit rights, or contractual assurances. In practice, NIS and NIS2 obligations often move through the supply chain long before a regulator contacts the supplier directly.

Incident reporting under NIS and NIS2

Incident reporting is one of the areas where inaccurate summaries cause the most confusion. Under NIS2, the reporting cadence is staged: an early warning within about 24 hours after becoming aware of a significant incident, a more detailed incident notification within about 72 hours, and a final report around one month later. The purpose is to alert authorities quickly while allowing time for facts to develop.

Under the UK NIS Regulations, the core wording is different. Organisations generally need to notify relevant incidents without undue delay, and the applicable threshold depends on the sector and competent authority guidance. That means a UK incident response plan should not simply copy the NIS2 timings and assume compliance. It needs to reflect the correct UK authority, the sector threshold, and the organisation’s internal escalation route.

A practical incident process starts with detection and triage, then moves to legal and regulatory assessment, executive escalation, authority notification where required, customer or supplier communications where relevant, and post-incident evidence gathering. For incidents that may affect personal data, GDPR breach assessment runs in parallel; it does not replace NIS or NIS2 reporting. Financial entities may also need to consider DORA, while organisations with physical resilience obligations may need to consider the Critical Entities Resilience framework in the EU.

Governance and management accountability

NIS2 places more explicit pressure on management bodies. Senior leaders are expected to approve cybersecurity risk-management measures, oversee their implementation, and understand the organisation’s exposure. This changes NIS2 from a purely technical compliance task into a governance issue involving the board, legal, procurement, operations, and security teams.

Auditors and regulators tend to look for evidence rather than policy statements alone. Useful evidence includes asset inventories that connect systems to essential services, risk assessments that are updated after material changes, incident exercise records, supplier due diligence files, vulnerability management data, backup and recovery test results, and management meeting minutes showing oversight. A policy that has not been tested, funded, or assigned to an accountable owner is weak evidence.

Common implementation gaps are often operational rather than legal. Organisations may know their main platforms but lack a reliable inventory of dependencies, privileged accounts, operational technology, cloud workloads, and critical suppliers. Supplier security clauses may exist in new contracts but be missing from legacy agreements. Cross-border groups may also discover that no one has mapped which national authority receives which report when an incident affects several countries at once.

What good preparation looks like

Preparation should begin with the services that matter most, not with a generic control catalogue. The organisation needs to understand which services are potentially in scope, which systems support them, which third parties are critical to their delivery, and which authorities may need to be contacted during an incident. Frameworks such as ISO/IEC 27001 can help structure the management system, but NIS compliance still requires sector-specific interpretation and operational evidence.

A time-boxed plan can prevent the work from becoming too abstract. The first 30 days should focus on confirming scope, identifying competent authorities, mapping critical services and assets, and reviewing incident reporting routes. By 60 days, the organisation should have tested escalation procedures, reviewed supplier obligations, identified evidence gaps, and assigned executive ownership. By 90 days, it should have completed a tabletop exercise, updated contracts or remediation plans for critical suppliers, and produced a defensible evidence pack for management review.

Training also matters because NIS and NIS2 obligations cut across technical, operational, and governance roles. Security teams need to understand reporting triggers and evidence preservation; senior leaders need enough fluency to challenge risk decisions and approve investment. Readynez may support this kind of role-based learning where organisations need structured preparation around cybersecurity governance, cloud security, or risk management, but the core work remains the organisation’s own mapping of obligations to real services and systems.

Penalties and regulatory exposure

Both regimes include enforcement powers, although the detail differs by jurisdiction and national implementation. Regulators may ask for information, inspect evidence, issue directions, and impose penalties where duties are not met. Under NIS2, the distinction between essential and important entities also affects supervision and enforcement, with essential entities generally subject to more proactive oversight.

The more immediate risk for many organisations is not the headline penalty. It is the inability to explain what happened, what systems were affected, why reporting decisions were made, and how supplier dependencies were controlled. Poor evidence can make an incident look worse even where the technical response was competent.

FAQ

What is the NIS Regulation?

“NIS Regulation” is an informal phrase that usually refers to laws based on the EU Network and Information Systems framework. In the UK, the main law is the Network and Information Systems Regulations 2018. In the EU, the current framework is the NIS2 Directive, which Member States implement through national legislation.

Is NIS2 a regulation or a directive?

NIS2 is a directive: Directive (EU) 2022/2555. This matters because directives require implementation through national law, so organisations need to check the rules and regulator guidance in each relevant EU Member State.

Who needs to comply with NIS or NIS2?

In the UK, compliance generally applies to operators of essential services and relevant digital service providers that meet sector criteria. In the EU, NIS2 applies to essential and important entities in covered sectors, and in some cases to non-EU providers offering relevant services into the EU.

What are the NIS2 incident reporting deadlines?

NIS2 uses a staged reporting model: an early warning within about 24 hours, a fuller incident notification within about 72 hours, and a final report around one month later. UK NIS reporting uses a different formulation, generally requiring notification without undue delay when sector thresholds are met.

Does GDPR reporting cover NIS reporting?

No. GDPR breach reporting concerns personal data breaches, while NIS and NIS2 concern incidents affecting the security and continuity of network and information systems for covered services. The same incident may trigger both regimes, but the legal tests, authorities, and reporting content can differ.

Applying NIS obligations in practice

The practical value of NIS compliance lies in making critical services more resilient before an incident occurs. That means knowing which services are essential, which systems and suppliers support them, who can make reporting decisions, and what evidence will be available when a regulator asks how risk was managed.

This article is for general information and is not legal advice. Organisations should check the current law, competent authority guidance, and sector-specific requirements in each relevant jurisdiction. A practical next step is to combine legal scope analysis with an operational readiness review, then use targeted training and exercises to close gaps in governance, incident reporting, and supplier assurance; Readynez can be one option for building the underlying cybersecurity and compliance skills needed to support that work.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}