The NIS2 Directive came into force across EU member states in October 2024, significantly expanding cybersecurity obligations for essential and important entities. While the UK is not directly subject to EU directives post-Brexit, and the US has no direct equivalent, many organisations in both jurisdictions operate EU subsidiaries or supply critical services into the EU — creating de facto NIS2 obligations that are not yet widely understood.

Who Is Actually Affected

NIS2 applies to essential and important entities across eighteen sectors including energy, transport, banking, healthcare, digital infrastructure, water, waste management, and ICT service management.

The threshold has been substantially lowered from NIS1. Organisations with 50+ employees or €10M+ in annual turnover in covered sectors are now in scope — down from the previous focus on operators of essential services only. This brings thousands of mid-market organisations into scope that were previously unaffected.

Approximately 40% of UK and US mid-market companies have some NIS2 exposure they are currently unaware of, typically through:

  • EU-registered subsidiary entities in covered sectors
  • Providing managed IT, cloud, or security services to EU entities in scope
  • Operating as critical suppliers in supply chains serving NIS2 entities

The Technical Requirements Under Article 21

Article 21 mandates ten categories of security measure. These are not aspirational — they are legal requirements with a compliance deadline:

  1. Risk analysis and information system security policies — documented, board-approved, reviewed annually
  2. Incident handling — defined procedures for detection, response, recovery, and notification
  3. Business continuity — backup management, disaster recovery, crisis management
  4. Supply chain security — controls covering direct suppliers and service providers, not just your own organisation
  5. Network and information systems security — patch management, vulnerability disclosure, network segmentation
  6. Policies on the effectiveness of cybersecurity measures — evidence that controls actually work, not just documentation they exist
  7. Basic cyber hygiene practices — MFA, least privilege, endpoint protection, email security
  8. Mandatory cybersecurity training — for all staff, documented and verifiable
  9. Cryptography and encryption policies — for data at rest and in transit
  10. Human resources security and access control policies — background checks, offboarding procedures, access reviews

The controls map closely to the UK NCSC Cyber Assessment Framework and to ISO 27001 Annex A controls. Organisations with mature ISO 27001 implementations face a narrower gap than those starting from scratch.

Personal Liability: The Board Wake-Up Call

NIS2 introduces personal liability for management bodies that represents a genuine shift from previous frameworks. Senior executives can be:

  • Held personally liable for intentional or negligent failure to comply
  • Temporarily barred from management roles as a sanction for severe non-compliance
  • Subject to fines separate from any levied against the organisation

This provision has driven significant board-level engagement across EU organisations. For UK and US companies with EU entities, it means that executives with governance responsibility for those entities carry personal NIS2 exposure regardless of where they sit physically.

Incident Reporting Timelines

NIS2 imposes three reporting obligations, each with a hard deadline:

| Stage | Deadline | Required Content | |-------|----------|-----------------| | Early Warning | 24 hours | Indication that a significant incident has occurred; indication of possible cross-border impact | | Initial Notification | 72 hours | Initial assessment of severity, scope, and indicators of compromise | | Final Report | 1 month | Full description, root cause analysis, mitigations applied, cross-border impact assessment |

Meeting the 24-hour early warning requirement is the hardest operationally. Organisations need:

  • Automated SIEM alerting with defined severity thresholds that trigger the notification process
  • Pre-written notification templates approved by legal and communications teams
  • A named incident commander with the authority to notify competent authorities without requiring board approval for each incident
  • Contact details for relevant national authorities documented and tested in advance

Your 90-Day Action Plan

Weeks 1–2: Scoping

Determine definitively which of your entities and services fall within NIS2. This requires mapping your corporate structure, identifying any EU-registered entities, and reviewing customer contracts for supply chain obligations. Engage legal counsel with EU regulatory expertise.

Weeks 3–4: Gap Analysis

Map your current security controls against all ten Article 21 categories. For most organisations this will reveal significant gaps in supply chain security documentation, formal risk management processes, and incident reporting procedures.

Month 2: Supply Chain Security

Supply chain security is typically the most labour-intensive gap to close. You need:

  • An inventory of all critical suppliers
  • Contractual obligations on your suppliers to maintain adequate security measures
  • A process for assessing supplier security posture at onboarding and annually
  • Clauses requiring suppliers to notify you of incidents that could affect your services

Month 3: Incident Response Runbooks

Develop incident response runbooks that specifically address NIS2 notification requirements. These should define:

  • What constitutes a "significant incident" under NIS2 (disruption to service delivery, impact on availability, integrity or confidentiality of data)
  • The decision tree for triggering early warning notification
  • Template notifications for each of the three reporting stages
  • Roles, responsibilities, and contact details for competent authorities in each relevant EU member state

Ongoing: Board Engagement

Brief your board on personal liability provisions. Most boards have not been informed of the personal sanctions NIS2 creates. Given the UK-Brexit and US-foreign-entity dynamics, this may be framed as a risk affecting EU-based colleagues and entities — but for organisations with integrated governance, that risk flows upwards.

The window to get ahead of NIS2 is closing. Competent authorities in EU member states are now operational and beginning supervisory activities. Organisations that can demonstrate a genuine, documented compliance programme — even if gaps remain — are in a materially better position than those that have not yet engaged.