NIS2 Directive for UK businesses in 2026

NIS2 does not directly apply to UK businesses. That is the short answer. The longer, more important answer is that it does not matter - because if you supply EU organisations, work with EU subsidiaries, or operate in sectors that EU customers treat as critical, NIS2 compliance will be imposed on you through contractual requirements, procurement criteria, and supply chain security programmes.

Post-Brexit regulatory divergence has created a category of compliance obligation that catches UK businesses off guard: you are not subject to a regulation, but your customers are, and their compliance requires you to meet the same standard. NIS2 is one of the most significant examples. Understanding what it requires - and what it means for UK businesses specifically - is now a practical necessity for any UK organisation with material EU exposure.

What is the NIS2 Directive?

The Network and Information Security Directive 2 (NIS2) is an EU regulation that came into force in January 2023 and required member states to transpose it into national law by October 2024. It replaces the original NIS Directive (NIS1), which was adopted in 2016 and became the basis for the UK's own NIS Regulations 2018 before Brexit.

NIS2 is substantially more demanding than its predecessor. NIS1 applied to a relatively narrow set of operators of essential services and digital service providers. NIS2 expands the scope significantly, adds stronger governance requirements, introduces personal liability for senior management, and raises penalties to levels comparable with GDPR - up to EUR 10 million or 2% of global annual turnover for essential entities, and EUR 7 million or 1.4% for important entities.

The directive applies to organisations operating in the EU in sectors classified as either essential or important:

Essential sectors: energy, transport, banking and financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important sectors: postal and courier services, waste management, manufacture and distribution of certain chemicals and food, manufacturing of medical devices, computers, motor vehicles, and other products, and digital providers (online marketplaces, search engines, social networks).

For UK businesses, the key question is not whether NIS2 applies directly - it does not - but whether your EU customers or partners are subject to it, and whether their compliance programmes require you to meet equivalent standards.

How the UK's own framework compares

The UK implemented NIS1 through the Network and Information Systems (NIS) Regulations 2018. These remain in force and have been updated, but the UK government has been developing its own modernisation programme separately from NIS2.

The Cyber Security and Resilience Bill - announced in the King's Speech in July 2024 - is the UK's primary vehicle for updating the NIS framework. It proposes to expand the scope of sectors covered, strengthen incident reporting obligations, and give regulators more powers. As of 2026, the Bill is progressing through Parliament, and organisations in regulated sectors should expect requirements to tighten.

The practical implication is that UK businesses in sectors equivalent to those covered by NIS2 will likely face similar obligations under UK law within the next two to three years. Aligning with NIS2 now is therefore not just about managing EU supply chain risk - it is a reasonable preparation for where UK regulation is heading.

Which UK businesses are most at risk of NIS2 pressure?

Three categories of UK business should treat NIS2 as an active compliance concern rather than a European problem:

UK subsidiaries of EU-headquartered groups. If your parent company is subject to NIS2, its group-wide security policies, risk management requirements, and incident reporting obligations will apply to your operations. You will not be assessed directly by an EU regulator, but you will be assessed by your parent's compliance function - and the standard they apply will be NIS2.

UK suppliers to EU essential or important entities. NIS2 includes explicit supply chain security requirements. Article 21 requires covered organisations to address risks in their supplier relationships, including security practices in acquisition, development, and maintenance of network and information systems. Procurement teams at NIS2-covered organisations are already adding supplier security assessments, questionnaires, and contractual clauses to manage this obligation. If you sell to EU critical infrastructure operators, healthcare systems, energy providers, or digital service providers, you will encounter these requirements.

UK businesses bidding for EU public contracts or regulated sector engagements. Procurement processes in NIS2-covered sectors are increasingly including security questionnaires that map to NIS2 requirements. Even if the client does not name NIS2 explicitly, the questions - incident response capabilities, access control policies, encryption standards, business continuity arrangements - reflect what NIS2 requires.

If none of these categories apply to your business, you can treat NIS2 as a reference framework for good practice rather than an active compliance obligation. But the sectors affected are broad, and many UK businesses have EU exposure they underestimate.

What NIS2 actually requires

NIS2's security requirements are set out in Article 21 and apply to both technical controls and governance practices. The key requirements break down into four areas:

Risk management and governance. Covered organisations must have an information security risk management process in place, with appropriate policies documented and approved by senior management. Critically, NIS2 introduces personal liability for management bodies - senior executives can be held personally responsible for failures to comply with security obligations. This is a significant change from NIS1 and reflects the EU's view that cybersecurity is a boardroom issue, not an IT department issue.

Technical security measures. The directive requires organisations to implement controls proportionate to their risk, covering: network and information system security, including network segmentation; access control and authentication, including multi-factor authentication; vulnerability and patch management; data security, including encryption of data in transit and at rest; supply chain security; and secure systems development and acquisition practices.

Incident response and reporting. NIS2 introduces a tiered incident reporting obligation. Covered organisations must notify their competent authority of significant incidents within 24 hours (early warning), provide a full incident notification within 72 hours, and submit a final report within one month. The thresholds for what constitutes a significant incident are defined in terms of impact - service disruption, financial loss, affected users - rather than attack type.

Business continuity and crisis management. Covered organisations must have documented business continuity plans and crisis management procedures, with tested recovery capabilities for significant incidents.

For UK businesses facing supply chain NIS2 pressure, the practical expectation is that your customers will ask you to demonstrate equivalence across these four areas - either through questionnaires, audits, or evidence of recognised certifications.

Steps UK businesses should take now

The following is a practical starting sequence for UK businesses with EU exposure that need to assess and address their NIS2 position:

Map your EU exposure. Identify all customers, partners, and contracts with EU entities. For each, determine whether the EU organisation is likely to be covered by NIS2. Prioritise relationships in essential and important sectors. This mapping exercise often reveals that NIS2 exposure is more significant than initially assumed.

Review your current security posture against NIS2 requirements. Article 21 provides a clear framework. Conduct a gap analysis against the four areas described above: governance and risk management, technical controls, incident response, and business continuity. If you hold Cyber Essentials or ISO 27001 certification, use your existing documentation as the baseline and identify what NIS2 adds.

Assess and update supplier contracts. If you have EU customers that are NIS2-covered, anticipate that they will seek contractual changes to address their supply chain obligations. Review your standard contract terms for security provisions. Proactively proposing appropriate clauses - rather than waiting for customers to impose theirs - is a stronger commercial position.

Establish or strengthen incident response capabilities. NIS2's 24-hour early warning requirement is demanding. If your current incident response process could not produce a structured notification to a customer or regulator within 24 hours of a significant incident, it needs work. Document your incident classification criteria, response procedures, and notification escalation paths.

Engage senior management. NIS2's personal liability provisions are a useful lever for getting executive attention. If your leadership team is not yet engaged with information security governance, presenting NIS2 in terms of personal accountability - not just regulatory risk - tends to shift the conversation.

Consider recognised certifications as evidence. For EU customers conducting supply chain assessments, ISO 27001 certification is the most widely recognised evidence of a systematic approach to information security management. It does not equal NIS2 compliance - the scopes are different - but it provides a credible foundation and reduces the audit burden in supplier assessments. Cyber Essentials addresses a narrower technical scope but is useful evidence for the access control and network security elements of NIS2.

How an IT consultant can help

NIS2 is not a simple checklist. The requirement to implement controls "proportionate to the risk" requires an organisation to first understand its risk, then make documented, defensible decisions about what controls are sufficient. Without that process, organisations either over-invest in controls they do not need or - more commonly - under-invest in areas where their actual risk is highest.

An experienced IT consultant can accelerate this process by conducting an independent gap analysis, bringing familiarity with how NIS2 requirements are being interpreted in practice by EU customers and certification bodies, and helping develop the documentation and governance structures that satisfy both internal requirements and external scrutiny.

The compliance automation frameworks and risk management approaches that work for ISO 27001 or GDPR compliance are largely reusable for NIS2. If you have already invested in those programmes, a targeted assessment of your NIS2 position is likely less work than starting from scratch.

What to do next

If your business has material EU exposure - through customers, parent companies, or supply chain relationships - the first step is an honest assessment of where you are. NIS2 requirements are not exotic. They reflect good security practice. The question for most UK businesses is not whether to implement them but how to sequence the work and demonstrate it credibly to the organisations that need to see it.

If you would like an independent view of your organisation's NIS2 readiness and a clear path forward, book a consultation. Assessments are confidential, practical, and focused on your specific exposure - not a generic compliance framework applied without context.