NIS2 Compliance Guide for UK Organisations 2026

Q: What is the difference between NIS2 and the UK Cyber Security and Resilience Bill?

NIS2 is an EU directive covering 18 sectors with prescriptive Article 21 security requirements and size-based entity classification. The UK Cyber Security and Resilience Bill amends NISR 2018 with a narrower sectoral scope, adding data centres, managed service providers, and load controllers. The Bill is less prescriptive on specific security measures but empowers the Secretary of State to impose additional requirements through secondary legislation.

Q: When does the UK Cyber Security and Resilience Bill come into force?

The Bill was introduced to Parliament in November 2025. Many substantive reforms require secondary legislation after Royal Assent. As of March 2026, no implementation date has been confirmed. Organisations in newly in-scope categories, particularly managed service providers and data centre operators, should begin compliance preparation now rather than waiting for Royal Assent.

Q: Does Cyber Essentials certification satisfy NIS2 or NISR 2018?

No. Cyber Essentials covers five baseline technical controls and does not substitute for NISR 2018 or NIS2 compliance. Its value within the NIS frameworks is as a supply chain risk management signal. Operators of essential services, digital service providers, and relevant managed service providers require a more comprehensive compliance assessment.

If you operate in the UK and trade with EU partners, you are almost certainly subject to two separate cybersecurity regimes right now, and most compliance guides only cover one of them. The EU’s NIS2 Directive (Directive 2022/2555) applies to your EU-established entities and any services you provide into EU member states. The UK’s Network and Information Systems Regulations 2018 (NISR 2018), currently being overhauled by the Cyber Security and Resilience Bill, governs your UK operations. The obligations are similar in spirit, significantly different in scope and enforcement, and neither one exempts you from the other.

This guide is for CISOs, compliance officers, and IT directors at UK organisations with EU operations. It maps both frameworks side by side, gives you a working checklist for 2026, and explains what the forthcoming UK legislation changes specifically for your risk posture.

Table of Contents

Why the UK and EU Now Have Different Cybersecurity Laws

Before Brexit, the UK implemented the original NIS Directive (Directive 2016/1148) through the Network and Information Systems Regulations 2018. When the EU replaced that directive with NIS2 in 2022, EU member states were required to transpose it into national law by October 2024. The UK, no longer bound by EU directives, chose not to follow. As Travers Smith confirmed in their November 2025 briefing, “the UK is no longer obliged to follow NIS2 post-Brexit” and the UK’s Cyber Security and Resilience Bill “scope is narrower than NIS2 and less prescriptive about the measures that in-scope entities must take.”

This creates a compliance gap that most generic NIS2 checklists completely ignore. A UK-headquartered firm with subsidiaries in Germany, France, or the Netherlands must simultaneously comply with EU NIS2 at the member state level and UK NISR 2018 domestically, while also preparing for the upcoming CSR Bill amendments. That’s three overlapping frameworks, and the terminology does not always align.

The NCSC’s Annual Report published in October 2025 documented 204 nationally significant cyber attacks in the year to September 2025, up from 89 the previous year. That near-doubling in one year, combined with high-profile incidents at Marks and Spencer, Jaguar Land Rover, and the NHS, accelerated the UK government’s decision to introduce the Cyber Security and Resilience Bill, which is currently progressing through Parliament. Cyber attacks already cost the UK economy an estimated £15 billion per year, a figure cited in the Bill’s own impact assessment.

Who Is in Scope: UK NISR 2018 vs EU NIS2

The most consequential difference between the two frameworks is who they cover. Getting your scope determination wrong means either over-investing in compliance for entities that don’t need it, or leaving regulated entities exposed to enforcement action.

Category	UK NISR 2018 (current)	EU NIS2 Directive	UK CSR Bill (incoming)
Essential services sectors	Energy, transport, water, health, digital infrastructure	18 sectors including manufacturing, food, postal, public administration	As NISR 2018 plus data centres and load controllers
Digital service providers	Online marketplaces, search engines, cloud computing	Same plus DNS providers, TLD registries, CDN providers, data centre services	As NISR 2018 plus managed service providers
Managed service providers	Not covered	Covered (medium and large only)	Covered as new category (medium and large)
Supply chain entities	Not directly regulated	Not directly regulated (obligations on principal entities)	“Critical suppliers” can be designated and directly regulated
Size thresholds	No explicit threshold (sector-based OES designation)	Important: 50+ employees or €10m+ turnover; Essential: 250+ employees or €50m+ turnover	MSPs: medium and large businesses only (50+ employees, €10m+ turnover)
Manufacturing	Not covered	Covered	Not covered (acknowledged gap in the Bill)

For UK firms trading with EU customers, the practical consequence is this: if you provide digital services into the EU, your EU operations must comply with NIS2 as implemented in each relevant member state. Your UK operations remain under NISR 2018 and, once passed, the CSR Bill amendments. A unified control framework that satisfies both is achievable, but it requires conscious design rather than copying a single checklist.

The 10 Core Security Requirements Under EU NIS2

EU NIS2 Article 21 sets out the minimum cybersecurity risk management measures that in-scope entities must implement. Unlike the original NIS Directive, NIS2 is prescriptive. These are not principles; they are specific requirements with no opt-out on the basis of proportionality alone.

Your NIS2-obligated EU entities need documented evidence of all of the following as of the applicable member state transposition date:

Policies on risk analysis and information system security
Incident handling procedures covering detection, response, and recovery
Business continuity and crisis management, including backup management and disaster recovery
Supply chain security, addressing the relationships between each entity and its direct suppliers or service providers
Security in network and information systems acquisition, development, and maintenance, including vulnerability disclosure and handling
Policies and procedures to assess the effectiveness of cybersecurity risk management measures
Basic cyber hygiene practices and cybersecurity training across the organisation
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Human resources security, access control policies, and asset management
Use of multi-factor authentication or continuous authentication solutions

NIS2 also introduces a two-tier entity classification. Essential entities, the larger organisations in sectors such as energy, transport, banking, and health, face more stringent obligations and proactive supervision. Important entities face the same requirements but are subject to reactive supervision: regulators act after an incident rather than before it. Your classification determines both your compliance obligations and your enforcement exposure.

UK NIS2 Compliance Checklist 2026

The following checklist covers your obligations across both frameworks. Items marked [UK] apply under NISR 2018 and the forthcoming CSR Bill. Items marked [EU] apply to your EU-established entities or EU-facing services under NIS2. Items marked [Both] apply under both regimes.

Governance and Risk Management

[Both] Board-level ownership of cybersecurity risk formally assigned. Under NIS2, management bodies can be held personally liable for infringements.
[Both] Written cybersecurity risk management policy reviewed at least annually and approved at board level.
[Both] Risk assessment methodology documented and applied to all network and information systems in scope.
[EU] For essential entities under NIS2: risk assessment results shared with the relevant national competent authority on request.
[UK] Alignment with the NCSC Cyber Assessment Framework (CAF) for designated operators of essential services. CAF is the UK’s primary assurance tool under NISR 2018.

Incident Response and Notification Timelines

Notification timing is where the two frameworks diverge most sharply from each other, and where organisations most frequently get caught out during an active incident.

[EU] NIS2 requires a three-stage notification process: early warning within 24 hours of becoming aware, incident notification within 72 hours, final report within one month.
[UK] Under current NISR 2018: notify the competent authority “without undue delay” and no later than 72 hours after becoming aware of a significant incident.
[UK] Under the incoming CSR Bill: initial notification within 24 hours, full report within 72 hours. This aligns UK timing with EU NIS2 for the first time.
[Both] Customer notification obligations where an incident could affect customers. Both frameworks now require direct customer notification, not just regulatory notification.
[Both] Documented incident response plan tested at least annually. Tabletop exercises should simulate the actual notification timelines, not generic attack scenarios.
[Both] Near-misses captured and assessed. The CSR Bill explicitly covers incidents “capable of” causing significant impact, not just those that have caused actual disruption.

Supply Chain Security

Supply chain security is where EU NIS2 is significantly more demanding than current UK law. The CSR Bill partially addresses this gap through the “critical supplier” designation mechanism, but the approaches differ structurally.

[EU] NIS2 requires entities to assess cybersecurity practices of their direct suppliers and service providers. Assessments must be documented and proportionate to the risk each supplier presents.
[EU] Supply chain security must address the overall quality of products and cybersecurity practices of your suppliers, including secure development practices where relevant.
[UK] Under the CSR Bill: competent authorities can designate specific “critical suppliers” to OESs and DSPs, bringing them directly within the NIS regime. If your organisation is a supplier to UK critical infrastructure, you may be directly designated even if you are not otherwise in scope.
[Both] Maintain a supplier register with security assessments for all third parties with access to your network and information systems.
[Both] Contractual cybersecurity requirements in all critical third-party relationships. Both frameworks expect you to flow down relevant security obligations to your supply chain.

Technical Security Controls

[Both] Multi-factor authentication deployed for all administrative access and all remote access to systems. NIS2 Article 21 explicitly requires MFA or continuous authentication solutions.
[Both] Encryption policy covering data in transit and data at rest, with documented cryptographic standards reviewed against current NCSC guidance.
[Both] Vulnerability management programme including timely patching, vulnerability scanning, and a process for handling disclosed vulnerabilities within defined timelines.
[Both] Network segmentation implemented to limit lateral movement in the event of a breach, particularly between operational technology and IT systems.
[Both] Backup and recovery capability tested against defined recovery time objectives (RTO) and recovery point objectives (RPO). Document both targets and test results.
[UK] Cyber Essentials or Cyber Essentials Plus certification is the NCSC-recommended baseline for demonstrating supply chain security to regulated entities. It does not substitute for NISR 2018 compliance.
[EU] NIS2 does not mandate specific certifications, but several EU member states apply national certification schemes as part of their NIS2 transposition.

Business Continuity and Crisis Management

[Both] Business continuity plan covering cyber incidents, tested at least annually with a documented exercise report retained as evidence.
[Both] Crisis management procedures with defined escalation paths to senior leadership and the board, tested separately from technical incident response.
[EU] Essential entities must demonstrate they can maintain or rapidly restore service continuity during a cyber incident affecting their primary systems.
[UK] The NCSC recommends organisations enrol in NCSC’s Early Warning system to receive threat intelligence relevant to their sector before an incident occurs.

Training and Awareness

[Both] Cybersecurity training mandatory for all staff, with documented completion records maintained.
[EU] NIS2 explicitly requires cybersecurity training for management bodies, not just operational staff. Board members must understand the cybersecurity risks facing the organisation at a level sufficient to make informed decisions.
[Both] Cyber hygiene baseline established and communicated organisation-wide, covering password management, phishing awareness, and secure remote working practices.

Penalties: What Non-Compliance Actually Costs

Under EU NIS2, essential entities can face fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of worldwide annual turnover. These figures apply per member state, so a UK organisation with subsidiaries in four EU countries faces four separate enforcement jurisdictions and four separate maximum exposures.

Under the incoming UK Cyber Security and Resilience Bill, the penalty structure works as follows:

Serious breaches: the higher of £17 million or 4% of worldwide annual turnover
Less severe violations: the higher of £10 million or 2% of worldwide annual turnover
Continuing non-compliance: daily fines of up to £100,000 per day until the issue is remediated

Regulators under the CSR Bill are also empowered to charge regulated entities for supervisory costs through cost recovery schemes, adding financial exposure beyond formal fines. The 4% global turnover cap mirrors the GDPR structure, which UK regulators already apply under UK GDPR. If your GDPR compliance programme is mature, you already understand the mechanics; the NIS penalty framework operates similarly but through sector-specific competent authorities rather than the ICO alone.

For context, the JLR cyber attack in 2025 is estimated to have cost the UK economy £1.9 billion. The British Library ransomware attack in late 2023 disrupted services for months and cost millions to remediate. The regulatory fines are calibrated to be large enough relative to remediation costs that pre-incident investment becomes the rational financial choice.

New Entities in Scope Under the UK CSR Bill

The Cyber Security and Resilience Bill extends the UK NIS regime to three categories of organisation not previously covered. If your organisation falls into any of these categories, compliance preparation should begin now.

Data Centre Operators. Standalone data centres with a rated IT load of 1MW or above fall in scope. Enterprise data centres, those serving only the owning organisation’s internal needs, fall in scope at a 10MW threshold. The Secretary of State for Science, Innovation and Technology and Ofcom act jointly as the competent authority. Both the physical infrastructure and supporting systems, including power supply, cooling, and security infrastructure, are included in the definition.

Managed Service Providers. A “relevant managed service provider” (RMSP) is any medium or large business providing ongoing management of IT systems to third-party customers where the provider has access or a connection to network and information systems on which the customer relies. Micro and small enterprises under 50 employees and with annual turnover at or below €10 million are explicitly excluded. The Information Commission, replacing the ICO, will serve as the competent authority for RMSPs.

Critical Suppliers. Competent authorities can designate specific suppliers to OESs and DSPs as “critical suppliers,” bringing them directly within the NIS regulatory regime even if they would not otherwise qualify. Designation criteria centre on whether disruption to that supplier’s systems could have a significant impact on the UK economy or day-to-day functioning of society. Healthcare diagnostic suppliers to the NHS and chemical suppliers to water companies are cited in government guidance as illustrative examples. A single supplier can be designated by multiple competent authorities simultaneously.

Building a Unified Control Framework for UK and EU Operations

Running two separate compliance programmes, one for UK NISR 2018 and one for EU NIS2, creates version control problems that expose you to gaps in both frameworks. A unified control framework mapped to both regimes is achievable because the underlying security requirements substantially overlap.

Start with EU NIS2 Article 21 requirements as your baseline. They are more prescriptive and cover a broader set of controls than current UK NISR 2018. If you build your control framework to satisfy NIS2, you will satisfy NISR 2018 in all material respects. Then layer UK-specific requirements on top: CAF alignment for UK OES designations, Cyber Essentials for supply chain management, and the CSR Bill additions as they are confirmed through secondary legislation.

For incident notification, design your internal escalation process to the tightest timeline across both frameworks: 24 hours for initial notification to both UK and EU competent authorities. Even if your current UK obligations allow 72 hours, the CSR Bill will tighten this, and operating to a single 24-hour standard prevents compliance failures caused by different procedures for different jurisdictions.

Supply chain due diligence requires genuine investment rather than documentation alone. NIS2 Article 21 supply chain requirements mean you need to assess the cybersecurity practices of your direct suppliers, not just contractually require them to be compliant. This means questionnaires, evidence requests, and proportionate right-to-audit clauses. Your zero trust security architecture should extend to how you connect third-party suppliers to your systems, because a supplier breach that propagates into your network is treated as your incident under both frameworks.

Your incident response planning process should be tested against both sets of notification timelines simultaneously. Run a tabletop exercise that starts with detection at hour zero and walks through what you notify, to whom, and in what format at the 24-hour and 72-hour marks. Doing this once with both regimes in the scenario is more efficient than two separate exercises and reflects the reality of a dual-jurisdiction breach.

Cloud infrastructure hosting UK data or UK essential services needs attention across both frameworks. Your cloud security posture across AWS, Azure, and GCP should reflect the access control, logging, resilience, and encryption requirements of both NISR 2018 and NIS2, particularly if the same cloud environment serves both UK and EU customers.

Frequently Asked Questions About NIS2 and UK Compliance

Does NIS2 apply to UK companies?

NIS2 applies to organisations established in EU member states, and to organisations established outside the EU that provide services into EU member states in sectors covered by the directive. If you are a UK company providing cloud computing, online marketplace services, or other NIS2-covered services to EU customers, the directive likely requires you to designate a representative in the EU. The UK itself does not enforce NIS2. UK domestic operations remain governed by NISR 2018 and, once enacted, the Cyber Security and Resilience Bill.

What is the difference between NIS2 and the UK Cyber Security and Resilience Bill?

NIS2 is an EU directive with broad sectoral scope covering 18 sectors, prescriptive Article 21 security requirements, and mandatory size thresholds distinguishing essential and important entities. The UK Cyber Security and Resilience Bill amends NISR 2018 and covers a narrower set of sectors, adding data centres, managed service providers, and load controllers. The Bill is less prescriptive on specific security measures but gives the Secretary of State significant power to impose additional requirements through secondary legislation. Penalty structures are broadly comparable in financial scale.

When does the UK Cyber Security and Resilience Bill come into force?

The Bill was introduced to Parliament in November 2025 and is progressing through its parliamentary stages. Many substantive reforms require secondary legislation to take effect after Royal Assent. As of March 2026, no implementation date has been confirmed. Organisations in newly in-scope categories, particularly managed service providers and data centre operators, should treat compliance preparation as active work rather than a future exercise.

What is an operator of essential services (OES) under UK law?

An operator of essential services is an organisation formally designated by a UK competent authority under NISR 2018. OES sectors include electricity, oil, gas, air transport, water transport, rail, road transport, healthcare, drinking water supply, and digital infrastructure. Designation involves a formal assessment by the relevant competent authority and written notification. Designated OESs have specific obligations around security measures, incident reporting to the NCSC, and ongoing engagement with their competent authority.

Does Cyber Essentials certification satisfy NIS2 or NISR 2018?

No. Cyber Essentials is a UK government-backed baseline certification covering five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It does not substitute for NISR 2018 compliance or NIS2 compliance. Its primary value within the NIS frameworks is as a supply chain risk management signal. For your own compliance obligations as an OES, DSP, or RMSP, Cyber Essentials is a useful baseline but a separate, more comprehensive compliance assessment is required.

Get Your NIS2 and UK Compliance Assessment

Most organisations underestimate how much work a dual-framework compliance programme requires until they attempt to map their control evidence to two separate sets of regulatory expectations simultaneously. If you are uncertain about your scope under NISR 2018, preparing for the CSR Bill changes, or need to assess what EU NIS2 means for your EU-facing operations, Shield Operations provides structured compliance assessments built around both frameworks. Contact us to assess your gaps and what remediation requires in practical terms.