NIS2 Directive: What UK Businesses Need to Know in 2026

The EU's NIS2 Directive is the most significant update to European cybersecurity regulation since GDPR came into effect in 2018. It dramatically expands the scope of mandatory security obligations, introduces personal liability for senior management, and carries penalties that make the original NIS Directive look gentle by comparison. While the UK left the European Union, the idea that NIS2 is a purely European concern would be a mistake for most UK businesses to hold.

UK companies with EU operations, EU customers, EU suppliers, or EU-based employees face direct obligations. And even for businesses with no EU footprint whatsoever, NIS2 is shaping the trajectory of UK domestic regulation through the Cyber Security and Resilience Bill currently progressing through Parliament. Understanding NIS2 now puts UK businesses ahead of both the current enforcement wave and the incoming UK regulatory update.

What Is NIS2?

NIS2 — the Network and Information Security Directive 2 — replaced the EU's original NIS Directive and entered EU law in January 2023. Member states were required to transpose it into their national legislation by October 2024. Germany, France, the Netherlands, Belgium and most other major EU economies now have NIS2-aligned national laws in effect, with enforcement activity increasing throughout 2025 and into 2026.

The scale of the change from NIS1 to NIS2 is significant across every dimension:

• Sectors in scope expanded from 7 to over 15, covering far more of the economy
• Organisations in scope expanded dramatically — many medium-sized businesses now fall within NIS2 for the first time
• Security requirements become more prescriptive: risk management frameworks, incident response, supply chain security
• Penalties increased sharply — up to €10 million or 2% of global turnover for the most serious failures
• Personal liability introduced — senior management can face individual fines and temporary bans from management roles

Does NIS2 Apply to UK Businesses?

The answer depends on the nature of your EU exposure. There are three distinct scenarios to consider.

Scenario 1: Direct applicability

If your organisation has EU-based operations, employees, or establishes a "presence" in any EU member state — through a subsidiary, a registered office, or even a sustained commercial relationship — NIS2 can apply directly. The relevant member state's national implementation of NIS2 would be the applicable law. If you are in this situation and have not yet assessed your NIS2 exposure, that assessment is overdue.

Scenario 2: Supply chain pressure

NIS2 explicitly requires covered organisations to assess and manage the cybersecurity of their supply chains. This means that EU organisations in scope of NIS2 will impose contractual security requirements on their UK suppliers — requirements that effectively mirror NIS2 obligations even for suppliers not directly subject to the regulation. If you supply services or products to EU businesses in covered sectors, expect contractual security requirements to arrive if they haven't already.

Scenario 3: UK regulatory trajectory

The UK Cyber Security and Resilience Bill, currently progressing through Parliament, is explicitly modelled on NIS2. It expands the scope of the UK's own NIS Regulations to cover more sectors, accelerates mandatory incident reporting timelines, and introduces supply chain security requirements. UK businesses that prepare for NIS2's requirements now are simultaneously preparing for incoming UK domestic legislation.

Sectors Covered by NIS2

NIS2 divides covered entities into two tiers, each with different obligation levels and penalty maxima.

Notably, managed IT service providers (MSPs) and managed security service providers (MSSPs) are explicitly included as essential entities under NIS2 — a recognition that MSPs sit at the heart of supply chain risk for many organisations. This inclusion has significant implications for businesses evaluating their MSP's own security posture.

What NIS2 Requires

NIS2 consolidates its security obligations into five core areas. These are not optional best practice recommendations — they are mandatory requirements that regulatory authorities will verify through audits and investigation following incidents.

1. Risk Management

Covered organisations must implement and maintain a risk management framework covering: regular risk assessments, security policies for all systems, access control and identity management, encryption of data in transit and at rest, patch management and vulnerability handling, and business continuity planning. The framework must be documented, reviewed at defined intervals, and demonstrably implemented — not simply written and filed.

2. Incident Reporting

Significant security incidents must be reported to the relevant national authority on an accelerated timeline: a preliminary notification within 24 hours, a full notification within 72 hours, and a final report within one month. The definition of a "significant incident" is deliberately broad — it includes any incident that causes or could cause significant disruption to services, financial damage, or reputational harm. This requires organisations to have incident detection and classification procedures in place before an incident occurs, not during one.

3. Supply Chain Security

Covered organisations must assess and manage the cybersecurity risks arising from their relationships with suppliers and service providers. This means conducting security due diligence on key suppliers, including security requirements in supplier contracts, and monitoring supplier security posture on an ongoing basis. This is the provision most likely to affect UK businesses indirectly — as the contractual pressure flows downstream from NIS2-covered EU customers to their UK supply chains.

4. Management Accountability

NIS2 explicitly places cybersecurity at board level. Senior management must personally approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable if found to have been negligent. This is a deliberate design choice by the EU regulators: to ensure cybersecurity is treated as a governance matter, not delegated entirely to the IT function. "We didn't know what was happening in IT" is no longer a viable defence.

5. Security Training

Management and staff must receive regular cybersecurity training. This covers both general security awareness training for all employees and specific technical training for those with security responsibilities. Training must be documented and demonstrably completed — records will be requested during regulatory audits.

How to Prepare: Five Steps

1. Determine your NIS2 exposure — establish whether NIS2 applies directly (EU operations), indirectly (EU supply chain relationships), or through the incoming UK equivalent legislation. This scoping exercise should involve both legal and IT input.
2. Conduct a gap assessment — measure your current controls against NIS2's five requirement areas. For most organisations, the biggest gaps are incident reporting procedures and supply chain security documentation. A structured gap assessment gives you a prioritised remediation plan.
3. Implement a risk management framework — ISO 27001 provides the most comprehensive alignment with NIS2's risk management requirements and is increasingly recognised by regulators as evidence of good practice. It is not mandatory for NIS2 compliance, but it significantly simplifies demonstrating compliance to auditors.
4. Establish and test incident response procedures — document your incident response plan, assign roles and responsibilities, define classification criteria for significant incidents, and test the plan with tabletop exercises at least annually. Regulators will expect to see evidence of testing, not just a written plan.
5. Brief your board — the personal liability provisions of NIS2 make cybersecurity a board-level matter. Senior leaders need to understand what NIS2 requires of them personally, approve the risk management framework, and receive regular updates on the organisation's security posture. This is a governance requirement, not just good practice.

The UK Equivalent: Cyber Security and Resilience Bill

The UK Cyber Security and Resilience Bill, expected to reach Royal Assent in 2026, is explicitly modelled on NIS2. Its headline provisions include: expanded scope covering more sectors and supply chain dependencies, faster mandatory incident reporting (24-hour preliminary notification, aligned with NIS2), supply chain security requirements, and strengthened enforcement powers for regulators. For UK businesses, the practical message is straightforward: preparing for NIS2 is effectively preparing for incoming UK domestic law.

In the interim, the UK government's Cyber Essentials scheme remains the baseline recommendation for all UK businesses. Cyber Essentials addresses some of NIS2's technical control requirements — see our complete guide to Cyber Essentials in 2026 for a full breakdown. ISO 27001 provides more comprehensive alignment for organisations facing NIS2 obligations directly.

The businesses that treat NIS2 as an opportunity to build a genuine security foundation will be better positioned than those that treat it as a compliance checkbox. Regulators on both sides of the Channel are increasingly differentiating between organisations that have embedded security and those that have simply documented it.