NIS2 Compliance Guide: Security Requirements for UK and EU Organisations

The NIS2 Directive is now in enforcement. Organisations classified as essential or important entities across 18 sectors must demonstrate compliance with its cybersecurity requirements or face fines of up to EUR 10 million. NIS2 (Directive (EU) 2022/2555) is the European Union's updated Network and Information Security legislation, replacing the original NIS Directive adopted in 2016. It establishes a higher baseline of cybersecurity measures across member states, broadens the scope of regulated organisations, and introduces mandatory incident reporting timelines and significant penalties for non-compliance.

This guide explains what NIS2 requires, who must comply, how it affects UK organisations, and what practical steps you can take to meet your obligations.

What Is the NIS2 Directive?

The NIS2 Directive (formally Directive (EU) 2022/2555) was adopted by the European Parliament and Council in December 2022. Member states were required to transpose it into national law by 17 October 2024, and enforcement is now active.

NIS2 exists because the original NIS Directive (2016) proved insufficient. The original directive covered a narrow set of sectors, allowed member states significant discretion in implementation, and created an uneven cybersecurity landscape across Europe. Fragmented transposition meant that an organisation operating across multiple EU member states could face different requirements in each jurisdiction.

NIS2 addresses these shortcomings by:

• Expanding scope: Covering 18 sectors compared to the original 7, and explicitly including medium-sized enterprises (50+ employees or EUR 10M+ turnover)
• Harmonising requirements: Establishing consistent baseline security measures across all member states
• Strengthening enforcement: Introducing mandatory penalties with defined minimum thresholds
• Adding governance obligations: Requiring board-level accountability for cybersecurity risk management
• Mandating supply chain security: Requiring organisations to assess and manage cybersecurity risks in their supply chains
• Tightening incident reporting: Requiring early warning within 24 hours of a significant incident

Who Must Comply with NIS2?

NIS2 classifies regulated organisations into two categories: essential entities and important entities. The distinction affects the intensity of regulatory supervision and the maximum penalties, but the core security requirements apply to both.

Essential Entities

Essential entities are organisations in high-criticality sectors that meet the size threshold (250+ employees or EUR 50M+ turnover). These sectors include:

• Energy: Electricity, oil, gas, hydrogen, district heating
• Transport: Air, rail, water, road
• Banking and financial market infrastructures
• Health: Hospitals, healthcare providers, pharmaceutical manufacturers, medical device manufacturers
• Drinking water supply and distribution
• Wastewater management
• Digital infrastructure: Internet exchange points, DNS providers, TLD registries, cloud computing providers, data centre operators, content delivery networks, trust service providers, public electronic communications networks
• ICT service management (B2B): Managed service providers, managed security service providers
• Public administration (central government level)
• Space: Operators of ground-based infrastructure

Important Entities

Important entities operate in additional sectors and may be medium-sized (50+ employees or EUR 10M+ turnover):

• Postal and courier services
• Waste management
• Chemical manufacturing, production, and distribution
• Food production, processing, and distribution
• Manufacturing: Medical devices, computer and electronic products, electrical equipment, machinery, motor vehicles, transport equipment
• Digital providers: Online marketplaces, search engines, social networking platforms
• Research organisations

Size Threshold

NIS2 applies to medium-sized and large organisations as defined by EU criteria: 50 or more employees, or annual turnover (or balance sheet total) of EUR 10 million or more. Some entities are covered regardless of size, including DNS service providers, TLD registries, and public electronic communications providers.

What Are the Key NIS2 Security Requirements?

Article 21 of NIS2 specifies the cybersecurity risk management measures that all regulated entities must implement. These are principle-based rather than prescriptive, giving organisations flexibility in implementation while requiring demonstrable compliance.

1. Risk Analysis and Information System Security Policies

Organisations must establish and maintain risk management frameworks that identify, assess, and treat cybersecurity risks. This includes documented security policies, regular risk assessments, and evidence that risk treatment decisions are informed by current threat intelligence.

2. Incident Handling

Organisations must have processes and capabilities for detecting, managing, and responding to cybersecurity incidents. NIS2's incident reporting requirements are among its most prescriptive elements:

• 24 hours: Early warning to the relevant CSIRT (Computer Security Incident Response Team) or competent authority
• 72 hours: Incident notification with initial assessment of severity, impact, and indicators of compromise
• 1 month: Final report with detailed description, root cause analysis, mitigation measures, and cross-border impact (if applicable)

Meeting the 24-hour early warning requirement demands automated detection capabilities. Organisations relying on manual log review or periodic threat hunts will struggle to identify significant incidents within this timeframe.

3. Business Continuity and Crisis Management

Organisations must maintain business continuity plans, disaster recovery procedures, and crisis management frameworks. This includes backup management, system redundancy, and regular testing of continuity procedures.

4. Supply Chain Security

Organisations must assess and manage cybersecurity risks arising from their supply chain and third-party service providers. This requires due diligence on supplier security practices, contractual security requirements, and ongoing monitoring of supply chain risk.

5. Security in Network and Information Systems Acquisition, Development, and Maintenance

Organisations must integrate security throughout the lifecycle of their network and information systems, from procurement through development, deployment, and decommissioning. This includes vulnerability management, patch management, and secure configuration practices.

6. Cybersecurity Risk Management Effectiveness Assessment

Organisations must regularly assess the effectiveness of their cybersecurity measures through audits, testing, and review. Penetration testing, vulnerability assessments, and security architecture reviews are all relevant practices.

7. Cybersecurity Hygiene and Training

Basic cybersecurity hygiene practices and regular security awareness training for all staff, including senior management, are mandatory requirements.

8. Cryptography and Encryption

Organisations must implement policies and procedures for the use of cryptography and, where appropriate, encryption to protect sensitive data.

9. Human Resources Security and Access Control

Access control policies, identity management, and the principle of least privilege must be implemented and maintained.

10. Multi-Factor Authentication and Secure Communications

The use of multi-factor authentication (MFA), continuous authentication solutions, and secured voice, video, and text communications is required where appropriate.

NIS2 Penalties and Enforcement

NIS2 introduces a tiered penalty framework that represents a significant escalation from the original directive:

Essential Entities

• Maximum fine: EUR 10 million or 2% of total worldwide annual turnover, whichever is higher
• Supervisory regime: Proactive supervision including regular audits, on-site inspections, and requests for evidence of compliance

Important Entities

• Maximum fine: EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher
• Supervisory regime: Reactive supervision, typically triggered by incidents, complaints, or intelligence indicating non-compliance

Personal Liability

Critically, NIS2 introduces personal accountability for senior management. Article 20 requires management bodies to approve and oversee cybersecurity risk management measures, undergo training, and bear personal responsibility for non-compliance. National authorities can impose temporary bans on individuals exercising managerial functions in cases of serious non-compliance.

Additional Enforcement Powers

Regulatory authorities can:

• Issue binding instructions requiring specific remediation measures
• Order organisations to implement specific security audits at their own expense
• Require public disclosure of non-compliance
• Temporarily suspend part or all of an essential entity's services

How Does NIS2 Affect UK Organisations?

The NIS2 Directive is EU legislation. Post-Brexit, the UK is not bound by it. However, UK organisations should not dismiss NIS2 as irrelevant. There are three important reasons:

1. EU Operations and Customers

UK companies that provide services to EU customers, operate subsidiaries in EU member states, or process data of EU residents may fall within NIS2's scope for those activities. The directive applies based on where services are provided, not where the organisation is headquartered. A UK-based managed service provider serving EU clients is almost certainly an essential entity under NIS2.

2. UK Cyber Security and Resilience Bill

The UK government has introduced the Cyber Security and Resilience Bill, which is designed to modernise the UK's NIS regulations (which were transposed from the original NIS Directive before Brexit). The Bill is expected to align closely with NIS2 in key areas, particularly scope expansion, incident reporting requirements, and supply chain security obligations. UK organisations that prepare for NIS2 will be well-positioned for the UK's own legislative updates.

3. FCA and Sectoral Requirements

For financial services firms, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) impose cybersecurity requirements that parallel many NIS2 obligations. The operational resilience framework (PS21/3) requires firms to identify important business services, set impact tolerances, and test their ability to remain within those tolerances during severe but plausible scenarios. These requirements are substantively aligned with NIS2's risk management and business continuity provisions.

NIS2 Compliance Checklist

The following steps provide a practical roadmap for achieving and demonstrating NIS2 compliance:

1. Determine your classification: Establish whether your organisation qualifies as an essential or important entity based on your sector and size. If you operate across multiple EU member states, assess your status in each jurisdiction.

1. Conduct a gap assessment: Compare your current cybersecurity measures against the Article 21 requirements. Identify where your existing controls meet the requirements and where gaps exist.

1. Establish board-level governance: Ensure your management body formally approves the cybersecurity risk management framework, receives regular briefings on cybersecurity posture, and completes cybersecurity training.

1. Implement a risk management framework: Document your risk assessment methodology, maintain a risk register, and ensure risk treatment decisions are traceable to identified threats and vulnerabilities.

1. Deploy continuous monitoring and detection: Implement security monitoring capabilities that can detect significant incidents within the 24-hour early warning requirement. Manual log review is insufficient. Automated detection with high alert fidelity is essential.

1. Establish incident response procedures: Document and test your incident response plan, including the three-stage NIS2 reporting process (24-hour early warning, 72-hour notification, 1-month final report). Identify your relevant CSIRT and establish reporting channels.

1. Assess supply chain risk: Identify critical suppliers, assess their cybersecurity practices, and incorporate security requirements into contracts. Establish monitoring processes for ongoing supply chain risk.

1. Implement access control and MFA: Deploy multi-factor authentication across all critical systems and privileged access. Implement and document access control policies based on the principle of least privilege.

1. Develop business continuity plans: Document and regularly test business continuity and disaster recovery procedures. Ensure backup management procedures are in place and tested.

1. Prepare evidence and documentation: NIS2 compliance is not just about implementing controls. It requires demonstrable evidence. Maintain audit trails, testing records, training logs, and risk assessment documentation.

How SenseOn Supports NIS2 Compliance

SenseOn's unified detection and response platform directly addresses several of the most challenging NIS2 requirements:

Continuous Monitoring and Incident Detection

NIS2's 24-hour early warning requirement demands automated detection that identifies significant incidents rapidly and with high confidence. SenseOn's cross-domain correlation cross-validates alerts across three independent AI methods (supervised learning, unsupervised anomaly detection, and deep-learning sequence analysis), delivering high-fidelity detections that enable security teams to identify and classify incidents within hours rather than days.

The 0 false positives achieved in independent AV-Comparatives testing means your team is not buried in noise when time-critical incident classification is required.

Incident Reporting Evidence

When a significant incident occurs, NIS2 requires detailed reporting at 24 hours, 72 hours, and 1 month. SenseOn automatically captures the forensic evidence needed for each stage:

• 24-hour early warning: Automated alert classification with severity assessment and initial impact analysis
• 72-hour notification: Full investigation timeline with indicators of compromise, affected systems, and scope assessment
• 1-month final report: Complete root cause analysis with correlated endpoint, network, and identity telemetry

Unified Visibility Across the Estate

NIS2 requires organisations to manage cybersecurity risk across their entire network and information systems. SenseOn's single agent provides endpoint, network, and cloud visibility from one sensor, eliminating the blind spots that arise when organisations rely on separate EDR, NDR, and SIEM tools with gaps between them.

Audit Trails and Compliance Reporting

SenseOn maintains full audit trails of all detections, investigations, and response actions. Built-in compliance reports map SenseOn's capabilities to NIS2 requirements, providing the documented evidence that regulators expect during supervisory assessments.

Operational Simplicity for Lean Teams

Many mid-market organisations subject to NIS2 do not have large security teams. SenseOn is designed for lean teams: a Flexible Intelligence Credit model with no per-GB data charges, automated detection that does not require rule authoring, and investigation workflows that reduce mean time to respond. Credits are consumed by outcomes like detection and investigation, not data volume, so there is never a financial reason to limit visibility. This means organisations can meet NIS2's demanding requirements without building a 20-person SOC.

Frequently Asked Questions

What is the NIS2 Directive?

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation that replaced the original NIS Directive. It expands the scope of regulated sectors, introduces stricter security requirements, mandates 24-hour incident reporting, and establishes significant penalties for non-compliance. NIS2 entered enforcement in October 2024 and applies to essential and important entities across 18 sectors.

Does NIS2 apply to UK organisations?

The NIS2 Directive is EU legislation and does not directly apply to UK-only organisations post-Brexit. However, UK companies with EU operations, subsidiaries, or customers must comply for those activities. Additionally, the UK's Cyber Security and Resilience Bill is designed to achieve similar objectives, and the FCA's requirements for financial services firms align closely with NIS2 principles. In practice, most UK mid-market organisations with any European presence need to treat NIS2 as applicable.

What are the penalties for NIS2 non-compliance?

Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to EUR 7 million or 1.4% of global annual turnover. Beyond financial penalties, NIS2 introduces personal liability for senior management, potential temporary suspension of services, and mandatory public disclosure of compliance failures.

What is the NIS2 incident reporting timeline?

NIS2 mandates a three-stage incident reporting process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification with initial assessment within 72 hours, and a final report with root cause analysis and remediation measures within one month. Organisations that cannot detect and classify incidents quickly will struggle to meet these deadlines.

How does NIS2 differ from the original NIS Directive?

NIS2 significantly expands the original NIS Directive in several ways: it covers 18 sectors compared to the original 7, removes the option for member states to set their own scope, introduces harmonised penalties across the EU, adds supply chain security requirements, mandates board-level accountability for cybersecurity, and requires 24-hour initial incident reporting compared to the original's less prescriptive timeline.

Related reading:

• DORA Compliance: Security Requirements for Financial Services
• ISO 27001 Security Controls: A Practical Implementation Guide
• SIEM Alternatives: 7 Platforms That Replace Traditional SIEM
• UK Cyber Security Regulations: What Changed in 2026