Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

What Is NIS2 and Does It Apply to My Business?

Quick Answer

NIS2 is the updated EU directive on network and information security, expanding cyber requirements to more sectors and organisations. The UK is implementing equivalent requirements. If you're in critical sectors or supply them, you may be affected.

Quick answer: NIS2 is the updated EU directive on network and information security, expanding cyber requirements to more sectors and organisations. The UK is implementing equivalent requirements. If you're in critical sectors or supply them, you may be affected.

What NIS2 Is

NIS2 (Network and Information Security Directive 2) replaces the original NIS Directive with expanded scope and stricter requirements. It's EU legislation, but the UK is implementing equivalent domestic rules through the Cyber Security and Resilience Bill.

Key changes from NIS1:

  • More sectors covered
  • More organisations in scope (size thresholds)
  • Stricter security requirements
  • Heavier penalties
  • Supply chain security obligations
  • Incident reporting requirements

Who NIS2 Applies To

Essential Entities (higher requirements)

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial infrastructure
  • Health
  • Water supply and wastewater
  • Digital infrastructure
  • Public administration
  • Space

Important Entities (slightly lighter touch)

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food production and distribution
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations

Size Thresholds

Generally applies to:
  • Medium organisations: 50+ employees or €10m+ turnover
  • Large organisations: 250+ employees or €50m+ turnover
Some critical sectors have no size threshold.

What NIS2 Requires

Risk management measures

  • Risk analysis and security policies
  • Incident handling
  • Business continuity
  • Supply chain security
  • Security in acquisition and development
  • Vulnerability handling
  • Cyber hygiene and training
  • Cryptography
  • Human resources security
  • Access control
  • Asset management

Incident reporting

  • Early warning within 24 hours
  • Incident notification within 72 hours
  • Final report within one month

Governance

  • Management body approval of security measures
  • Management training on cyber security
  • Accountability for non-compliance

UK Implementation

The UK isn't bound by EU NIS2 but is implementing equivalent requirements through the Cyber Security and Resilience Bill. The scope and requirements will be similar, adapted for UK context.

Current UK NIS Regulations (from NIS1) remain in force. Updates will bring UK in line with NIS2 standards.

Penalties

EU NIS2 penalties:

  • Essential entities: Up to €10 million or 2% of global turnover
  • Important entities: Up to €7 million or 1.4% of global turnover
UK penalties will be set in domestic legislation.

What to Do Now

If you might be in scope:

  1. Assess applicability - Are you in a covered sector? Do you meet size thresholds?
  1. Gap analysis - How do your current security measures compare to NIS2 requirements?
  1. Supply chain review - NIS2 requires you to manage supplier security. What do you require from suppliers?
  1. Incident response - Can you meet 24-hour initial reporting?
  1. Governance - Is management engaged with cyber security? Are they trained?

How We Help

We support organisations preparing for NIS2:

Assessment: Determine if NIS2 applies to you and assess gaps

Implementation: Build security measures meeting NIS2 requirements

vCISO: Ongoing oversight of compliance

Managed services: Security operations supporting NIS2 compliance

We also help organisations in the supply chain of essential entities—NIS2 flows down.

---

*Disclaimer: NIS2 is EU legislation. UK implementation is through separate domestic legislation (Cyber Security and Resilience Bill). Requirements, scope, and timelines may change. This is general guidance—consult with legal counsel for advice on your specific obligations. Verify current regulatory guidance before making compliance decisions.*

---

for an assessment.

---

Related Questions