NIS2 Compliance for UK Businesses: What You Need to Know

What Is NIS2?

The Network and Information Security Directive 2 (NIS2) is the EU's updated framework for mandatory cybersecurity requirements across member states. Adopted in December 2022 and required to be transposed into national law by October 2024, NIS2 replaces the original NIS Directive from 2016 and represents a significant expansion of both the organisations covered and the security obligations imposed. For UK businesses, understanding NIS2 matters even post-Brexit — not because EU law applies directly to UK entities, but because NIS2's reach extends through supply chains, customer contracts, and EU-based subsidiaries.

The context for NIS2 is the rapidly evolving cyber threat landscape across Europe. The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, and 85% of those breaches involved phishing (DSIT 2025). EU member states face comparable challenges, and NIS2 is the legislative response — mandating baseline security controls, incident reporting, and governance requirements across a significantly broader range of sectors than the original directive covered.

UK Relevance Post-Brexit

NIS2 is an EU Directive, and the UK is no longer subject to EU law following Brexit. However, UK businesses are not necessarily exempt from NIS2's practical effects. There are three primary scenarios in which NIS2 affects UK organisations.

Supplying EU-Based Customers

EU organisations subject to NIS2 are required to assess and manage cybersecurity risks in their supply chains. This means that UK businesses providing services, products, or technology to EU-based customers may face contractual requirements to meet NIS2-equivalent security standards. EU customers will increasingly include cybersecurity requirements in procurement questionnaires, contract terms, and supplier due diligence processes. UK suppliers that cannot demonstrate adequate security controls risk losing EU business.

Operating EU Subsidiaries

UK businesses that operate subsidiaries in EU member states are directly subject to NIS2 through those entities. The subsidiary must comply with the NIS2 transposition in the relevant member state, which may require specific security controls, incident reporting procedures, and governance structures that the parent company needs to support.

Managed Service Providers and Digital Infrastructure

NIS2 specifically includes ICT service management — managed service providers, managed security service providers, and digital infrastructure providers — within its scope. UK-based MSPs or cloud service providers with EU customers may face NIS2 obligations through their customer relationships, as their EU clients are required to ensure their service providers meet adequate security standards.

Who NIS2 Affects: Sectors and Scope

NIS2 covers 18 sectors divided into two categories. Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities include postal and courier services, waste management, manufacturing of certain products, food production, digital providers (cloud computing, data centres, online marketplaces), research organisations, and chemicals.

The expansion from the original NIS Directive is substantial. The original directive covered only operators of essential services and digital service providers. NIS2 brings in managed service providers, food production, manufacturing, waste management, and postal services — sectors that were previously outside the scope of EU cybersecurity regulation. For UK businesses, the inclusion of ICT service management and digital providers is particularly significant, as many UK technology companies serve EU customers in these categories.

NIS2 Compliance Requirements

NIS2 imposes both technical and organisational requirements. Organisations must implement risk management measures covering network and information system security policies, incident handling procedures (detection, analysis, containment, and reporting), business continuity and crisis management, supply chain security assessments, vulnerability disclosure and handling, policies for assessing cybersecurity effectiveness, and use of cryptography and encryption where appropriate.

Incident Reporting

The incident reporting timeline under NIS2 is significantly stricter than UK GDPR. An early warning must be provided to relevant national authorities within 24 hours of becoming aware of a significant incident. An incident notification with initial assessment must follow within 72 hours. A final report is required within one month. These timelines are only achievable if the organisation has robust incident detection, escalation, and reporting processes already in place. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), highlighting the gap many organisations would need to close.

Management Accountability

NIS2 introduces explicit management liability for cybersecurity compliance. Senior management can be held personally accountable for failures to implement adequate security measures. This represents a significant shift from treating cybersecurity as a purely technical matter to recognising it as a governance responsibility at board level. Fines for non-compliance can reach up to 10 million euros or 2% of global annual turnover, whichever is higher.

Alignment with UK Standards

The security controls NIS2 requires align substantially with existing UK frameworks and guidance. Cyber Essentials addresses five technical controls — boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management — that form a significant subset of NIS2's technical requirements. The NCSC's Cyber Assessment Framework (CAF) provides a more comprehensive mapping to NIS2's full scope, covering governance, risk management, asset management, supply chain, and resilience requirements.

Businesses that achieve Cyber Essentials Plus certification, maintain documented incident response procedures, conduct regular risk assessments, and manage their supply chain security have addressed a substantial portion of NIS2's requirements. The gap typically lies in the governance and documentation requirements — formal risk management processes, board-level accountability, and structured incident reporting procedures that go beyond the technical controls Cyber Essentials covers.

Compliance Steps for UK Businesses

For UK businesses that need to demonstrate NIS2-equivalent security to EU customers or through EU subsidiaries, a structured approach to compliance is recommended.

• Assess your exposure — identify EU customers, EU subsidiaries, and contractual obligations that reference NIS2 or equivalent security standards
• Map current controls — compare your existing security measures against NIS2's requirements to identify gaps, using Cyber Essentials as a baseline
• Implement technical controls — ensure managed cybersecurity services cover endpoint security, access management, patch management, and network protection
• Establish incident response procedures — document detection, escalation, and reporting processes that can meet NIS2's 24-hour early warning requirement
• Address supply chain security — assess your key technology suppliers' security posture and document the assessment process
• Formalise governance — ensure cybersecurity is a board-level agenda item with documented accountability for risk management decisions

The UK Regulatory Outlook

The UK government is reviewing its own NIS Regulations (2018) and is expected to update them to align with, though not directly copy, NIS2. The UK Cyber Security and Resilience Bill, announced in the King's Speech in 2024, is expected to expand the scope of UK cybersecurity regulation and introduce stricter incident reporting requirements. The average cost of a data breach for UK organisations was £3.4 million in 2024 (IBM 2024), providing a clear business case for investing in security controls now rather than waiting for regulatory deadlines.

Regardless of the specific UK regulatory timeline, the security measures NIS2 requires — risk management, access controls, incident response, supply chain security — represent good security practice that benefits any organisation. Businesses that invest in these controls now will be well-positioned for whatever regulatory framework the UK ultimately adopts, whilst also reducing their immediate risk of breach. AMVIA helps UK businesses implement the technical and organisational measures aligned with both NIS2 and UK regulatory expectations. Contact AMVIA on 0333 733 8050 to discuss NIS2 readiness.