The NIS2 Directive came into force across EU member states in October 2024, significantly expanding cybersecurity obligations for essential and important entities. While the UK is not directly subject to EU directives post-Brexit, and the US has no direct equivalent, many organisations in both jurisdictions operate EU subsidiaries or supply critical services into the EU — creating de facto NIS2 obligations that are not yet widely understood.
Who Is Actually Affected
NIS2 applies to essential and important entities across eighteen sectors including energy, transport, banking, healthcare, digital infrastructure, water, waste management, and ICT service management.
The threshold has been substantially lowered from NIS1. Organisations with 50+ employees or €10M+ in annual turnover in covered sectors are now in scope — down from the previous focus on operators of essential services only. This brings thousands of mid-market organisations into scope that were previously unaffected.
Approximately 40% of UK and US mid-market companies have some NIS2 exposure they are currently unaware of, typically through:
- EU-registered subsidiary entities in covered sectors
- Providing managed IT, cloud, or security services to EU entities in scope
- Operating as critical suppliers in supply chains serving NIS2 entities
The Technical Requirements Under Article 21
Article 21 mandates ten categories of security measure. These are not aspirational — they are legal requirements with a compliance deadline:
- Risk analysis and information system security policies — documented, board-approved, reviewed annually
- Incident handling — defined procedures for detection, response, recovery, and notification
- Business continuity — backup management, disaster recovery, crisis management
- Supply chain security — controls covering direct suppliers and service providers, not just your own organisation
- Network and information systems security — patch management, vulnerability disclosure, network segmentation
- Policies on the effectiveness of cybersecurity measures — evidence that controls actually work, not just documentation they exist
- Basic cyber hygiene practices — MFA, least privilege, endpoint protection, email security
- Mandatory cybersecurity training — for all staff, documented and verifiable
- Cryptography and encryption policies — for data at rest and in transit
- Human resources security and access control policies — background checks, offboarding procedures, access reviews
The controls map closely to the UK NCSC Cyber Assessment Framework and to ISO 27001 Annex A controls. Organisations with mature ISO 27001 implementations face a narrower gap than those starting from scratch.
Personal Liability: The Board Wake-Up Call
NIS2 introduces personal liability for management bodies that represents a genuine shift from previous frameworks. Senior executives can be:
- Held personally liable for intentional or negligent failure to comply
- Temporarily barred from management roles as a sanction for severe non-compliance
- Subject to fines separate from any levied against the organisation
This provision has driven significant board-level engagement across EU organisations. For UK and US companies with EU entities, it means that executives with governance responsibility for those entities carry personal NIS2 exposure regardless of where they sit physically.
Incident Reporting Timelines
NIS2 imposes three reporting obligations, each with a hard deadline:
| Stage | Deadline | Required Content | |-------|----------|-----------------| | Early Warning | 24 hours | Indication that a significant incident has occurred; indication of possible cross-border impact | | Initial Notification | 72 hours | Initial assessment of severity, scope, and indicators of compromise | | Final Report | 1 month | Full description, root cause analysis, mitigations applied, cross-border impact assessment |
Meeting the 24-hour early warning requirement is the hardest operationally. Organisations need:
- Automated SIEM alerting with defined severity thresholds that trigger the notification process
- Pre-written notification templates approved by legal and communications teams
- A named incident commander with the authority to notify competent authorities without requiring board approval for each incident
- Contact details for relevant national authorities documented and tested in advance
Your 90-Day Action Plan
Weeks 1–2: Scoping
Determine definitively which of your entities and services fall within NIS2. This requires mapping your corporate structure, identifying any EU-registered entities, and reviewing customer contracts for supply chain obligations. Engage legal counsel with EU regulatory expertise.
Weeks 3–4: Gap Analysis
Map your current security controls against all ten Article 21 categories. For most organisations this will reveal significant gaps in supply chain security documentation, formal risk management processes, and incident reporting procedures.
Month 2: Supply Chain Security
Supply chain security is typically the most labour-intensive gap to close. You need:
- An inventory of all critical suppliers
- Contractual obligations on your suppliers to maintain adequate security measures
- A process for assessing supplier security posture at onboarding and annually
- Clauses requiring suppliers to notify you of incidents that could affect your services
Month 3: Incident Response Runbooks
Develop incident response runbooks that specifically address NIS2 notification requirements. These should define:
- What constitutes a "significant incident" under NIS2 (disruption to service delivery, impact on availability, integrity or confidentiality of data)
- The decision tree for triggering early warning notification
- Template notifications for each of the three reporting stages
- Roles, responsibilities, and contact details for competent authorities in each relevant EU member state
Ongoing: Board Engagement
Brief your board on personal liability provisions. Most boards have not been informed of the personal sanctions NIS2 creates. Given the UK-Brexit and US-foreign-entity dynamics, this may be framed as a risk affecting EU-based colleagues and entities — but for organisations with integrated governance, that risk flows upwards.
The window to get ahead of NIS2 is closing. Competent authorities in EU member states are now operational and beginning supervisory activities. Organisations that can demonstrate a genuine, documented compliance programme — even if gaps remain — are in a materially better position than those that have not yet engaged.
How to Achieve NIS2 Readiness in 90 Days
Weeks 1–2: Scoping exercise
Determine which entities and services fall within NIS2. Map corporate structure, identify EU-registered entities, review customer contracts for supply chain obligations. Engage legal counsel with EU regulatory expertise.
Weeks 3–4: Gap analysis
Map current security controls against all ten Article 21 categories. Document existing evidence; identify gaps in supply chain security, formal risk management, and incident reporting procedures.
Month 2: Supply chain security
Build supplier inventory. Add contractual security obligations to standard agreements. Establish supplier security posture assessment process. Implement incident notification clauses with critical suppliers.
Month 3: Incident response runbooks
Define what constitutes a significant incident under NIS2. Build decision tree for the 24-hour early warning. Draft notification templates. Document competent authority contacts per EU member state.
Ongoing: Board engagement and evidence collation
Brief board on personal liability provisions. Establish quarterly compliance review. Maintain evidence of cybersecurity training, control effectiveness, and incident handling for supervisory inspections.
References
Frequently Asked Questions
Does NIS2 apply to UK and US companies after Brexit?
Not directly — but approximately 40% of UK and US mid-market companies have NIS2 exposure they are currently unaware of. If you operate EU subsidiaries, provide critical services into the EU, or are part of supply chains serving EU entities in scope, NIS2 obligations apply to those operations regardless of headquarters location.
What are the NIS2 incident reporting timelines?
NIS2 requires a 24-hour early warning for significant incidents, a 72-hour initial notification with assessment, and a final report within one month. Organisations must have automated SIEM alerting, defined severity thresholds, and pre-agreed notification templates ready before an incident occurs.
Can executives be personally liable under NIS2?
Yes. NIS2 introduces personal liability for management bodies — senior executives can be temporarily barred from management roles for non-compliance. This is a significant shift from previous frameworks and has driven substantial board-level engagement across EU and EU-adjacent organisations.
What is the difference between essential and important entities under NIS2?
Essential entities (Article 3) include energy, transport, banking, healthcare, and digital infrastructure operators of substantial size. Important entities cover the same sectors at lower thresholds plus additional sectors like postal services, waste management, and food production. Essential entities face proactive supervision; important entities face reactive (ex-post) supervision after incidents.
How does NIS2 relate to the UK Cyber Security and Resilience Bill?
The UK's Cyber Security and Resilience Bill (under development) will broadly mirror NIS2's structure and obligations within UK law, extending coverage to managed service providers and updating incident reporting requirements. UK organisations should treat NIS2 readiness as preparation for the UK equivalent — the technical controls required are substantially identical.
What sanctions does NIS2 impose?
Fines of up to €10 million or 2% of global annual turnover for essential entities (whichever is higher). Up to €7 million or 1.4% for important entities. Temporary suspension of management responsibilities for executives. Public disclosure of compliance failures. The financial cap is meaningful but the reputational and personal liability components are often more concerning to boards.
Does NIS2 require specific cybersecurity certifications?
NIS2 does not mandate specific certifications, but Article 21 controls map closely to ISO 27001, SOC 2, and Cyber Essentials Plus. Organisations holding these certifications have a substantial head start on NIS2 readiness — the gap analysis typically focuses on supply chain security, incident reporting timelines, and management body accountability.