Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Legislation

NIS2 Readiness Checklist

Preparing for the EU Network and Information Security Directive

18 min read January 2026

Preparing for the EU Network and Information Security Directive

A practical guide for UK organisations affected by NIS2

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • What Is NIS2?
  • Does NIS2 Apply To You?
  • Key Requirements
  • NIS2 vs UK Requirements
  • The 10 Minimum Security Measures
  • Incident Reporting Under NIS2
  • Supply Chain Requirements
  • Management Accountability
  • Readiness Assessment
  • Implementation Roadmap
  • NIS2 Compliance Checklist
  • How DSC Can Help

1. Executive Summary

The NIS2 Directive is the EU's updated framework for cyber security of essential and important entities. It came into force in October 2024 and significantly expands scope, strengthens requirements, and increases penalties.

Why UK organisations should care:

  • You operate in EU member states
  • You provide services to EU customers
  • Your EU customers require NIS2 compliance from suppliers
  • UK regulation is aligning with NIS2 principles

Key NIS2 features:

  • Expanded scope (more sectors, more organisations)
  • 10 minimum security measures required
  • 24-hour initial incident notification
  • Supply chain security obligations
  • Management body accountability
  • Fines up to €10 million or 2% of global turnover

This guide helps you:

  • Determine if NIS2 applies to your organisation
  • Understand the key requirements
  • Assess your current readiness
  • Plan your compliance approach

2. What Is NIS2?

Background

NIS2 (Directive (EU) 2022/2555) replaces the original NIS Directive from 2016. It was adopted in December 2022 and member states were required to transpose it into national law by October 2024.

Why NIS2?

The original NIS Directive was seen as insufficient:

  • Inconsistent implementation across member states
  • Too narrow scope (many critical sectors excluded)
  • Weak enforcement
  • Inadequate incident reporting
  • Supply chain risks not addressed

NIS2 addresses these issues with:

  • Broader, clearer scope
  • Harmonised requirements
  • Stronger enforcement powers
  • Faster incident reporting
  • Explicit supply chain provisions
  • Management accountability

Scope Expansion

NIS2 dramatically expands which organisations are covered:

Original NIS:

  • Operators of Essential Services (designated)
  • Digital Service Providers (cloud, search, marketplaces)

NIS2:

  • Essential Entities (18 sectors)
  • Important Entities (additional sectors)
  • Based on sector AND size thresholds
  • No individual designation required for most

Essential vs Important Entities

NIS2 creates two categories:

Essential Entities:

  • Higher-risk sectors
  • Stricter supervision
  • Higher penalties
  • Proactive regulatory oversight

Important Entities:

  • Lower-risk sectors
  • Ex-post supervision (after incidents)
  • Lower maximum penalties
  • Lighter regulatory touch

3. Does NIS2 Apply To You?

Sector Scope

Essential Entity Sectors (Annex I):

Sector Subsectors
Energy Electricity, oil, gas, hydrogen, district heating
Transport Air, rail, water, road
Banking Credit institutions
Financial Market Infrastructure Trading venues, CCPs
Health Healthcare providers, labs, pharma, medical devices
Drinking Water Supply and distribution
Waste Water Collection, disposal, treatment
Digital Infrastructure IXPs, DNS, TLD, cloud, data centres, CDNs, trust services, public comms
ICT Service Management (B2B) MSPs, MSSPs
Public Administration Central government
Space Ground-based infrastructure operators

Important Entity Sectors (Annex II):

Sector Subsectors
Postal and Courier Postal service providers
Waste Management Waste collection, treatment, recovery
Chemicals Manufacturing, production, distribution
Food Production, processing, distribution
Manufacturing Medical devices, computers, electronics, machinery, motor vehicles, transport equipment
Digital Providers Online marketplaces, search engines, social networks
Research Research organisations

Size Thresholds

For most sectors, NIS2 applies to:

Medium organisations:

  • 50+ employees, OR
  • €10 million+ annual turnover AND €10 million+ balance sheet

Large organisations:

  • 250+ employees, OR
  • €50 million+ turnover AND €43 million+ balance sheet

Some entities are in scope regardless of size (e.g., TLD registries, DNS providers, trust service providers).

Determining If You're In Scope

Step 1: Sector check

  • Is your organisation in an Annex I or Annex II sector?
  • Consider all your activities, not just primary business

Step 2: Size check

  • Do you meet the medium or large thresholds?
  • Consider group-level figures if part of a group

Step 3: Location check

  • Do you have an establishment in the EU?
  • Do you provide services in the EU?

Step 4: Category determination

  • Essential (Annex I sector + large) or Important?

UK Organisations and NIS2

NIS2 does not apply directly in the UK (post-Brexit). However:

NIS2 may apply to you if:

  • You have establishments in EU member states
  • You provide covered services in the EU
  • You are the designated EU representative for a non-EU entity

You should still care about NIS2 if:

  • EU customers require compliance from suppliers
  • You want to align with international standards
  • UK regulation is moving in similar direction

4. Key Requirements

Overview of Obligations

NIS2 requires covered entities to:

  • Implement appropriate security measures (10 minimum areas)
  • Report significant incidents
  • Manage supply chain security
  • Ensure management accountability
  • Register with competent authorities
  • Cooperate with authorities

Risk-Based Approach

Requirements must be:

  • Appropriate to the risks faced
  • Proportionate to the entity's size, exposure, and potential impact
  • Based on all-hazards approach (not just cyber)
  • Considering state of the art technology and standards

Standards and Frameworks

NIS2 encourages use of:

  • European and international standards
  • ENISA guidelines
  • Relevant sector-specific standards

ISO 27001 and the NCSC Cyber Assessment Framework align well with NIS2 requirements.

5. NIS2 vs UK Requirements

Current UK Framework

The UK has its own NIS Regulations (2018), which are being updated by the Cyber Security and Resilience Bill.

Comparison

Aspect UK (Current + Bill) EU NIS2
Scope Essential services + MSPs + data centres Broader sector coverage, size thresholds
Incident reporting 24 hours (Bill) 24 hours initial, then 72 hours, then 1 month
Management liability Cyber Governance Code (voluntary) Explicit management body accountability
Penalties Up to £17m / 4% (Bill) Up to €10m / 2% (Essential)
Supply chain Required (Bill) Explicit requirements
Framework CAF-aligned ENISA guidance

Key Differences

UK approach:

  • Sector-specific regulation via existing regulators
  • CAF as assessment framework
  • Cyber Governance Code for boards
  • Enforcement through sectoral regulators

NIS2 approach:

  • Harmonised EU-wide requirements
  • Self-assessment of scope
  • Explicit management body duties
  • National competent authorities

Dual Compliance

If you're subject to both UK and EU requirements:

  • Map requirements to identify common ground
  • ISO 27001 provides good foundation for both
  • CAF and ENISA guidance are largely compatible
  • Document how you meet each requirement
  • Note differences in incident reporting timelines and recipients

6. The 10 Minimum Security Measures

NIS2 Article 21 specifies 10 areas that security measures must address "at a minimum."

1. Risk Analysis and Information System Security Policies

Requirement:

Policies on risk analysis and information system security.

What this means:

  • Documented risk assessment process
  • Information security policies
  • Regular risk assessment
  • Risk treatment decisions

Evidence:

  • Risk assessment methodology
  • Risk register
  • Information security policy
  • Policy review records

2. Incident Handling

Requirement:

Incident handling procedures.

What this means:

  • Incident detection capability
  • Incident response procedures
  • Roles and responsibilities
  • Escalation procedures
  • Post-incident review

Evidence:

  • Incident response plan
  • Incident log
  • Post-incident reports
  • Exercise records

3. Business Continuity and Crisis Management

Requirement:

Business continuity, such as backup management and disaster recovery, and crisis management.

What this means:

  • Business continuity plans
  • Backup procedures and testing
  • Disaster recovery capability
  • Crisis management procedures

Evidence:

  • Business continuity plan
  • Backup policy and test records
  • Disaster recovery plan
  • Crisis management procedures

4. Supply Chain Security

Requirement:

Supply chain security, including security-related aspects concerning relationships with direct suppliers or service providers.

What this means:

  • Supplier risk assessment
  • Security requirements in contracts
  • Monitoring of supplier security
  • Management of supplier incidents

Evidence:

  • Supplier risk assessment
  • Contract security clauses
  • Supplier security questionnaires
  • Supplier review records

5. Security in Network and System Acquisition, Development, and Maintenance

Requirement:

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.

What this means:

  • Secure procurement
  • Secure development practices
  • Vulnerability management
  • Patch management
  • Vulnerability disclosure process

Evidence:

  • Secure development policy
  • Vulnerability management procedure
  • Patch status reports
  • Vulnerability disclosure process

6. Assessing Effectiveness of Security Measures

Requirement:

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.

What this means:

  • Security testing
  • Audits and assessments
  • Metrics and measurement
  • Continuous improvement

Evidence:

  • Penetration test reports
  • Audit reports
  • Security metrics
  • Improvement records

7. Basic Cyber Hygiene and Training

Requirement:

Basic cyber hygiene practices and cybersecurity training.

What this means:

  • Security awareness programme
  • Role-specific training
  • Basic security practices enforced
  • Regular training updates

Evidence:

  • Training programme
  • Training completion records
  • Awareness materials
  • Phishing test results

8. Cryptography and Encryption

Requirement:

Policies and procedures regarding the use of cryptography and, where appropriate, encryption.

What this means:

  • Encryption policy
  • Data encryption (transit and rest)
  • Key management
  • Cryptographic standards

Evidence:

  • Encryption/cryptography policy
  • Evidence of encryption implementation
  • Key management procedures

9. Human Resources Security and Access Control

Requirement:

Human resources security, access control policies and asset management.

What this means:

  • Personnel security (screening, contracts)
  • Access control policies
  • Privileged access management
  • Asset inventory and management

Evidence:

  • HR security procedures
  • Access control policy
  • Privileged access records
  • Asset inventory

10. Multi-Factor Authentication and Secure Communications

Requirement:

Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems.

What this means:

  • MFA deployed for access
  • Secure communication channels
  • Emergency communication capability

Evidence:

  • MFA implementation evidence
  • Secure communications policy
  • Emergency contact procedures

7. Incident Reporting Under NIS2

Reporting Timeline

NIS2 introduces a multi-stage reporting process:

Stage Timeframe Content
Early Warning Within 24 hours Initial notification that incident has occurred
Incident Notification Within 72 hours Updated assessment, initial impact, IoCs
Intermediate Report On request Status updates as requested by authority
Final Report Within 1 month Full root cause, impact, remediation

What Triggers Reporting

Significant incidents must be reported. An incident is significant if:

  • It caused or is capable of causing severe operational disruption or financial loss
  • It affected or is capable of affecting other persons by causing considerable material or non-material damage

Who to Report To

  • National competent authority (varies by member state)
  • CSIRT (Computer Security Incident Response Team)
  • In some cases, affected service recipients

Cross-Border Incidents

For incidents affecting multiple member states:

  • Report to each relevant authority
  • ENISA coordinates cross-border response
  • Information sharing between authorities

8. Supply Chain Requirements

Why Supply Chain Matters in NIS2

NIS2 explicitly addresses supply chain security because:

  • Supply chain attacks have increased dramatically
  • Dependencies on third parties create systemic risk
  • Previous regulation didn't adequately address supply chain

Article 21 Requirements

Entities must address:

> "Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"

What This Means In Practice

Supplier assessment:

  • Identify suppliers with access to your systems/data
  • Assess their security posture
  • Prioritise based on risk and criticality

Contractual requirements:

  • Include security requirements in contracts
  • Define incident notification obligations
  • Establish audit rights
  • Require flow-down to sub-suppliers

Ongoing management:

  • Monitor supplier security over time
  • Review critical suppliers regularly
  • Respond to supplier incidents

ICT Supply Chain Specific Risks

NIS2 calls out consideration of:

  • Vulnerabilities specific to each supplier
  • Overall quality of products and practices
  • Security development practices of suppliers
  • Results of coordinated security risk assessments

Co-ordinated Risk Assessments

ENISA and national authorities may conduct coordinated risk assessments of critical supply chains. Entities may need to participate and implement recommendations.

9. Management Accountability

A Significant Change

NIS2 places explicit accountability on management bodies (boards, executives).

Article 20 Requirements

Management bodies must:

  • Approve cybersecurity risk-management measures
  • Oversee implementation of those measures
  • Be liable for non-compliance
  • Undergo training to understand cyber risks

Management body members:

  • Must follow training on cybersecurity
  • Should encourage similar training for employees
  • Can be held personally liable for infringements

What This Means

Board-level engagement:

  • Cyber security on board agenda
  • Board approval of security measures
  • Regular reporting to board
  • Board training on cyber

Personal accountability:

  • Directors/executives personally accountable
  • Potential for individual sanctions
  • Can't delegate away responsibility

Enforcement

Competent authorities can:

  • Impose fines on the organisation
  • Issue binding instructions to management
  • Temporarily suspend certifications or authorisations
  • Temporarily prohibit natural persons from exercising management functions

10. Readiness Assessment

Quick Self-Assessment

Governance:

  • Board-approved cyber security measures
  • Designated cyber security responsibility
  • Regular management reporting on cyber
  • Management training on cyber risks

Risk Management:

  • Documented risk assessment process
  • Current risk assessment in place
  • Risk treatment decisions documented
  • Regular risk review cycle

Security Measures:

  • Information security policies
  • Access control and MFA
  • Encryption for sensitive data
  • Vulnerability management
  • Patch management
  • Security monitoring

Incident Management:

  • Incident response plan
  • 24-hour notification capability
  • Plan tested within last year
  • Lessons learned process

Business Continuity:

  • Business continuity plan
  • Backup and recovery procedures
  • Disaster recovery capability
  • Plans tested

Supply Chain:

  • Critical suppliers identified
  • Supplier security assessed
  • Contract security requirements
  • Supplier incident notification

Training:

  • Security awareness programme
  • Training completion tracked
  • Management training completed
  • Regular training updates

Compliance:

  • Registration with authority (if required)
  • Reporting procedures documented
  • Audit trail maintained

Scoring Your Readiness

0-8 items checked: Significant gaps - prioritise NIS2 compliance programme

9-16 items checked: Moderate readiness - address specific gaps

17-24 items checked: Good foundation - fine-tune and document

All items checked: Strong position - maintain and improve

11. Implementation Roadmap

Phase 1: Assessment (Months 1-2)

Scope determination:

  • Confirm NIS2 applicability
  • Identify which entities/operations in scope
  • Determine Essential or Important category
  • Identify applicable member state(s)

Gap analysis:

  • Assess current state against 10 minimum measures
  • Identify gaps
  • Prioritise based on risk

Planning:

  • Develop implementation roadmap
  • Assign responsibilities
  • Budget for required investments
  • Set realistic timelines

Phase 2: Foundation (Months 3-4)

Governance:

  • Establish management accountability
  • Assign security responsibilities
  • Set up reporting to management
  • Schedule management training

Policy development:

  • Information security policy
  • Risk management policy
  • Incident response policy
  • Supply chain security policy
  • Other required policies

Risk management:

  • Conduct/update risk assessment
  • Document risk treatment decisions
  • Establish risk review cycle

Phase 3: Implementation (Months 5-8)

Technical measures:

  • MFA deployment
  • Encryption implementation
  • Monitoring and detection
  • Vulnerability management
  • Backup and recovery

Processes:

  • Incident response procedures
  • Business continuity plans
  • Supplier management procedures
  • Access management processes

People:

  • Security awareness training
  • Role-specific training
  • Management training

Phase 4: Validation (Months 9-10)

Testing:

  • Incident response exercises
  • Business continuity tests
  • Backup restoration tests
  • Security assessments/pen tests

Audit:

  • Internal audit of NIS2 compliance
  • Evidence review
  • Gap remediation

Phase 5: Ongoing Compliance (Ongoing)

Maintain:

  • Regular risk assessments
  • Continuous monitoring
  • Training updates
  • Policy reviews

Report:

  • Incident reporting as required
  • Management reporting
  • Regulatory engagement

Improve:

  • Lessons learned
  • Continuous improvement
  • Adapt to new guidance

12. NIS2 Compliance Checklist

Governance and Accountability

  • Management body has approved cyber security measures
  • Management body oversees implementation
  • Management body members have completed cyber training
  • Clear roles and responsibilities assigned
  • Regular reporting to management on cyber security

Risk Management

  • Risk analysis process documented
  • Information system security policies in place
  • Risk assessments conducted and current
  • Risk treatment decisions documented
  • Regular risk reviews scheduled

Incident Handling

  • Incident response plan documented
  • Incident detection capability in place
  • 24-hour initial notification capability
  • Incident classification criteria defined
  • Post-incident review process
  • Plan tested within last 12 months

Business Continuity

  • Business continuity plan documented
  • Backup procedures implemented
  • Backup testing conducted and documented
  • Disaster recovery capability
  • Crisis management procedures
  • BC/DR plans tested

Supply Chain Security

  • Critical suppliers identified
  • Supplier risk assessments conducted
  • Security requirements in supplier contracts
  • Incident notification requirements in contracts
  • Supplier security monitoring process
  • Sub-supplier requirements addressed

Security in Acquisition/Development

  • Secure procurement policy
  • Secure development practices (if applicable)
  • Vulnerability management process
  • Patch management process
  • Vulnerability disclosure process

Effectiveness Assessment

  • Security testing programme (pen tests, audits)
  • Security metrics defined and tracked
  • Regular effectiveness reviews
  • Continuous improvement process

Cyber Hygiene and Training

  • Security awareness programme
  • All staff complete awareness training
  • Training completion tracked
  • Role-specific training provided
  • Regular training updates

Cryptography

  • Cryptography/encryption policy
  • Data encrypted in transit
  • Sensitive data encrypted at rest
  • Key management procedures

Human Resources and Access Control

  • Personnel security procedures
  • Background screening (as appropriate)
  • Access control policy
  • Privileged access management
  • Asset inventory maintained
  • Access reviews conducted

Authentication and Communications

  • MFA implemented for system access
  • MFA for remote access
  • Secure communications policy
  • Emergency communication procedures

Registration and Reporting

  • Registered with competent authority (if required)
  • Reporting procedures documented
  • Contacts for authorities identified
  • Cross-border reporting considered (if applicable)

13. How DSC Can Help

Dead Simple Computing helps UK organisations prepare for and maintain compliance with NIS2 and related UK requirements.

Assessment

NIS2 Readiness Assessment:

  • Scope determination
  • Gap analysis against 10 minimum measures
  • Prioritised findings
  • Implementation roadmap

Mapping to UK Requirements:

  • NIS2 vs UK NIS/Bill comparison
  • Identify common controls
  • Efficient dual compliance approach

Implementation

Policy and Process:

  • Policy development
  • Procedure documentation
  • Risk assessment support
  • Supplier management framework

Technical:

  • Security controls implementation
  • Monitoring and detection
  • Vulnerability management
  • Incident response capability

Managed Services

Compliance-Ready IT:

  • Security built in
  • Evidence and reporting
  • Supports NIS2 requirements

Security Services:

  • MDR for detection capability
  • SIEM for logging requirements
  • Vulnerability management

Advisory

vCISO:

  • Strategic compliance leadership
  • Management reporting
  • Regulatory engagement
  • Ongoing compliance management

Contact us:

Resources

Official Sources

EUR-Lex:

NIS2 Directive full text

eur-lex.europa.eu

ENISA:

NIS2 guidance and tools

enisa.europa.eu

National Authorities:

Each EU member state has designated competent authorities

UK Comparison

UK NIS Regulations:

legislation.gov.uk

Cyber Security and Resilience Bill:

parliament.uk

NCSC CAF:

ncsc.gov.uk/collection/caf

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 to help organisations understand and prepare for NIS2 requirements.

NIS2 implementation varies by EU member state. Organisations should check specific national requirements where they operate.

This guide is for informational purposes and does not constitute legal advice.

© 2026 Dead Simple Computing Ltd. All rights reserved.

Related Guides

Legislation The UK Cyber Security and Resilience Bill