NIS2 Directive: What UK Operators of Essential Services Must Do Now

The NIS2 Directive came into force across EU member states in October 2024, significantly expanding cybersecurity obligations. While the UK is not directly subject to EU directives post-Brexit, many UK organisations operate EU subsidiaries or supply critical services into the EU — creating de facto NIS2 obligations that are not yet widely understood.

Who Is Actually Affected

NIS2 applies to essential and important entities across eighteen sectors including energy, transport, banking, healthcare, and digital infrastructure. The threshold has been lowered: organisations with 50+ employees or €10M+ in annual turnover in covered sectors are now in scope. Approximately 40% of UK mid-market companies have some NIS2 exposure they are currently unaware of.

The Technical Requirements Under Article 21

• Risk analysis and information system security policies
• Incident handling and business continuity procedures
• Supply chain security controls covering direct suppliers and service providers
• Network and information systems security and vulnerability disclosure
• Basic cyber hygiene practices and mandatory cybersecurity training for all staff

NIS2 introduces personal liability for management bodies — senior executives can be temporarily barred from management roles for non-compliance. This has driven significant board-level engagement in EU organisations.

Incident Reporting Timelines

NIS2 requires: a 24-hour early warning for significant incidents, a 72-hour notification with initial assessment, and a final report within one month. Automated SIEM alerting, defined severity thresholds, and pre-agreed notification templates are essential prerequisites.

Your 90-Day Action Plan

• Weeks 1–2: Scoping exercise to confirm which entities and services fall within NIS2
• Weeks 3–4: Gap analysis mapping current controls against Article 21 requirements
• Month 2: Prioritise supply chain security assessments
• Month 3: Establish incident reporting runbooks meeting the 24-hour early warning requirement
• Ongoing: Engage board on personal liability provisions