NIS2 & UK NIS Regulations 2026 — Compliance Guide for UK Businesses

Post-Brexit, the United Kingdom maintains its own Network and Information Systems (NIS) Regulations — separate from, but closely mirroring, the EU's updated NIS2 Directive (2022/2555). If your business operates in both jurisdictions, you face two distinct legal frameworks, two sets of competent authorities, and two compliance timelines. This guide untangles both.

The UK NIS Regulations 2018 (as amended by the Network and Information Systems (Amendment) (EU Exit) Regulations 2020 and further updated in 2022) continue to apply in Great Britain and Northern Ireland. They are enforced by the National Cyber Security Centre (NCSC) and sector-specific Competent Authorities (CAs) such as Ofgem, the Department for Transport, NHS Digital, and the Financial Conduct Authority (FCA).

Meanwhile, the EU's NIS2 Directive — which significantly expanded scope, strengthened penalties, and tightened timelines compared to the original NIS Directive — has been transposed into national law across EU member states, with full enforcement ramping up through 2024–2026. Any UK business with operations, customers, or services in the EU may fall under NIS2 as well.

ℹ UK NIS Regulations — Sectors in Scope

The UK NIS Regulations apply to two categories of organisations:

Operators of Essential Services (OES) — organisations in sectors where a significant disruption would have major societal or economic impact.
Relevant Digital Service Providers (RDSPs) — online marketplaces, online search engines, and cloud computing services with 50+ employees or >€10m annual turnover.

The six OES sectors are:

⚡

Energy
Electricity, gas, oil

✈

Transport
Air, rail, road, water

💧

Water
Drinking water supply

💊

Health
NHS, private providers

🔗

Digital Infrastructure
IXPs, DNS, TLD registries

🏠

Financial Services
Banking, FMIs

UK NIS vs EU NIS2 — Key Differences

Understanding the divergence between the two regimes is essential for businesses operating across both jurisdictions. The table below compares the key dimensions:

Dimension	UK NIS Regulations	EU NIS2 Directive
Legal Basis	UK NIS Regs 2018 + SI 2020/No.1245 amendments	Directive (EU) 2022/2555, transposed by member states
Scope of Sectors	6 sectors (OES) + 3 RDSP types. More prescriptive definitions, sector-specific CAs	11 high-criticality + 7 other critical sectors; broader scope including waste, space, public admin
Size Thresholds	OES: designated by CA; no hard size threshold. RDSPs: 50+ employees or €10m+ turnover	Essential entities: 250+ employees or €50m+ turnover in scope sectors. Important entities: 50–249 or €10m–€50m
Incident Reporting — Initial	72 hours to relevant CA	24-hour early warning to national CSIRT
Incident Reporting — Full	No separate requirement beyond 72h initial notification	72-hour incident notification + 1-month final report
Enforcement Body	NCSC (oversight) + sector CAs (Ofgem, DfT, NHS Digital, FCA, etc.) + ICO for RDSPs	National CSIRTs + competent national authorities (varies by member state)
Maximum Penalties	OES: up to £17 million; RDSPs: up to £17 million	Essential entities: up to €10 million or 2% of global annual turnover (whichever is higher); Important entities: €7 million or 1.4%
Management Liability	Enforcement against the organisation; no explicit personal liability for directors	Explicit personal liability for senior management; temporary bans possible for essential entities
Supply Chain Security	Required as part of the 14 security principles (Principle B3)	Explicitly mandated; entities must assess and manage supply chain cyber risks
Audits & Inspections	CAs can audit OES; enforcement notices issued for non-compliance	Proactive supervision for essential entities; complaint-based for important entities

UK NIS Regulations — Who Is Affected?

Operators of Essential Services (OES)

A UK organisation is designated as an OES if it meets the following test applied by the relevant Competent Authority:

It provides a service that is essential for the maintenance of critical societal and/or economic activities;
The provision of that service depends on network and information systems;
An incident affecting those systems would have significant disruptive effects on the provision of the service.

Designation is not self-declared — Competent Authorities actively identify and notify organisations. If you have not been formally designated, you are not currently an OES, although the Government may expand scope through secondary legislation. Many mid-sized utilities, NHS trusts, rail operators, and financial market infrastructure operators are designated.

Relevant Digital Service Providers (RDSPs)

RDSPs are organisations that provide one of three digital services to customers in the UK and meet the size threshold (50+ employees or €10 million+ annual turnover):

Online marketplaces — platforms that allow consumers and traders to conclude sales or service contracts online (e.g. e-commerce platforms, app stores);
Online search engines — services that allow users to search across websites;
Cloud computing services — IaaS, PaaS, and SaaS offerings providing on-demand scalable shared computing resources.

Unlike OES, RDSPs do not need to be formally designated — the obligation applies automatically if the criteria are met. Micro and small enterprises (fewer than 50 employees and turnover below €10m) are explicitly exempt from RDSP obligations.

Security Measures Required

The NCSC's Cyber Assessment Framework (CAF) underpins UK NIS compliance. It is organised around 14 security principles grouped into four objectives:

Objective A — Managing Security Risk

A1 — Governance: Appropriate organisational structures and policies are in place to govern cybersecurity and manage risk to the network and information systems.
A2 — Risk Management: A systematic process exists to identify, assess, and manage cybersecurity risks.
A3 — Asset Management: All systems and data critical to service delivery are identified and managed.
A4 — Supply Chain: Cybersecurity risks from third-party suppliers and the supply chain are understood and managed (see also Principle B3).

Objective B — Protecting Against Cyber Attack

B1 — Service Protection Policies and Processes: Defined and implemented policies protect the network and information systems from cyber attacks.
B2 — Identity and Access Control: Access to systems is appropriately controlled, authenticated, and audited.
B3 — Data Security: Data is protected in transit and at rest; removable media is controlled; supply chain data risks are managed.
B4 — System Security: Systems are designed and configured securely; vulnerabilities are managed and patched in a timely manner.
B5 — Resilient Networks and Systems: Network architecture is resilient; redundancy and failover capabilities are in place.
B6 — Staff Awareness and Training: Staff understand their cybersecurity responsibilities and are trained accordingly.

Objective C — Detecting Cyber Security Events

C1 — Security Monitoring: Monitoring capabilities detect and log relevant events across the network and information systems.
C2 — Proactive Security Event Discovery: Active vulnerability scanning, penetration testing, and threat intelligence are used to identify risks before they are exploited.

Objective D — Minimising the Impact of Cyber Security Incidents

D1 — Response and Recovery Planning: Up-to-date incident response plans exist and are tested; lessons-learned exercises are conducted after incidents.
D2 — Improvements: Security improvements are driven by insights from incident response, monitoring, and threat intelligence.

Incident Reporting Requirements

Incident reporting is one of the most operationally challenging aspects of NIS compliance. The timelines differ between the UK and EU frameworks.

UK NIS Regulations — Reporting Obligations

OES and RDSPs must notify their relevant Competent Authority of any incident that has a significant impact on the continuity of essential or digital services. The significance test considers:

Number of users affected;
Duration of the incident;
Geographic spread of disruption;
Extent of disruption to service functionality;
Impact on the economy, public safety, or other critical services.

72h

72 Hours — Initial Notification (UK)

Notify the relevant Competent Authority within 72 hours of becoming aware of a significant incident. Include: what happened, systems affected, estimated impact, and initial containment actions taken.

∞

Ongoing — Updates as Requested (UK)

The CA may request further updates or a final report. There is no mandatory timeline for a final report under UK NIS — but failure to co-operate with CA requests can itself constitute a breach.

EU NIS2 — Three-Stage Reporting

The EU NIS2 framework is more structured. Significant incidents for essential and important entities follow a three-stage reporting process:

24h

24 Hours — Early Warning (EU NIS2)

Submit an early warning to the national CSIRT or competent authority within 24 hours of becoming aware of the incident. Indicate whether it is suspected to be malicious or has cross-border impact.

72h

72 Hours — Incident Notification (EU NIS2)

Submit a full incident notification within 72 hours, updating the early warning with: initial assessment of severity and impact; indicators of compromise where available.

1mo

1 Month — Final Report (EU NIS2)

Submit a detailed final report within one month, covering root cause analysis, mitigation measures implemented, and cross-border impact assessment if applicable.

Preparing for UK NIS Compliance

For organisations that are newly designated OES or that are assessing their RDSP status, the following framework provides a structured path to compliance:

Gap Assessment against NCSC CAF — Complete a structured self-assessment or commission an independent assessment against all 14 CAF principles. Document current posture, identify gaps, and prioritise remediation by risk.
Risk Register — Establish a live risk register covering cyber threats to network and information systems supporting essential services. Include likelihood, impact, and residual risk scores after controls.
Incident Response Plan (IRP) — Develop and document an IRP that covers detection, classification, escalation, notification (including the 72-hour CA notification procedure), containment, recovery, and post-incident review. Test it annually via tabletop exercises.
Supply Chain Security Audit — Map all third-party suppliers that have access to or affect your critical network and information systems. Assess their cyber risk posture; include cyber clauses in contracts; review periodically.
Access Control Review — Audit all privileged and administrative accounts; enforce multi-factor authentication (MFA) on all administrative access; implement least-privilege principles across systems.
Security Monitoring Implementation — Deploy Security Information and Event Management (SIEM) or equivalent to detect anomalous activity; define retention periods for security logs; assign 24/7 monitoring responsibility.
Staff Awareness Training — Deliver mandatory cybersecurity awareness training to all staff annually; provide role-specific training for IT and security personnel; include phishing simulation exercises.
Competent Authority Engagement — Establish a relationship with your relevant CA; understand their reporting portal or procedures; ensure the nominated contact point (required under NIS) is up to date.

⚠ ICO Enforcement — Non-Compliance Is Real

UK NIS enforcement is not theoretical. In 2022, Checklist Systems Limited was fined £1.6 million by the ICO for failing to implement appropriate technical and organisational measures to protect its network and information systems, as required by the NIS Regulations. The incident resulted in a ransomware attack that disrupted services.

The ICO has signalled increasing scrutiny of regulated organisations, particularly in sectors where NIS overlaps with GDPR obligations. Penalties can be issued for failure to implement security measures even if no breach has occurred — a finding of inadequate controls is itself sufficient.

Common findings in UK NIS audits and enforcement notices include: lack of network monitoring, insufficient vulnerability management, no tested incident response plan, and inadequate supply chain controls.

NIS2 for EU Operations

If your business operates in the EU — whether through a branch, subsidiary, customer base, or digital services delivered to EU residents — you may be independently subject to the EU NIS2 Directive. This applies in addition to UK NIS obligations; there is no mutual recognition arrangement between the UK and EU post-Brexit.

Under NIS2, an entity is deemed in scope if it:

Provides services in one or more EU member states;
Operates in one of the 11 high-criticality or 7 other critical sectors defined in Annex I and II of the Directive;
Meets the size criteria: 250+ employees or €50m+ turnover (essential entities), or 50+ employees / €10m+ turnover (important entities).

Critically, NIS2 introduced a "main establishment" rule: entities operating in multiple EU member states are supervised primarily by the member state where they have their EU main establishment (typically headquarters or main administrative function). This single point of contact simplifies multi-country compliance but does not exempt businesses from all local requirements.

Dual Compliance Framework

UK businesses subject to both frameworks should develop a dual compliance matrix that maps obligations side-by-side, identifies where a single control satisfies both regimes, and highlights where different standards apply (particularly around incident reporting timelines and management liability). Key areas where the frameworks diverge:

Incident reporting speed: NIS2's 24-hour early warning is significantly tighter than UK's 72-hour initial notification. A common procedure should default to the tighter timeline to satisfy both.
Management liability: NIS2 explicitly holds senior management personally accountable; UK NIS does not — but UK businesses may wish to extend board-level accountability anyway as governance best practice.
Sector scope: Your UK operations may be in scope as OES; your EU operations may qualify as important entities under NIS2 in a different sector category. Assess each jurisdiction's criteria independently.
Competent authorities: You will need to maintain separate relationships and reporting contacts — your UK CA plus the NIS2 competent authority in the relevant EU member state(s).

✓ Alignment Opportunities

Despite the differences, the two frameworks are substantively aligned on security principles. A robust cybersecurity programme built around the NCSC CAF will cover the majority of NIS2 Article 21 security obligations. Key areas of alignment: risk management, MFA, incident response, business continuity, supply chain security, and staff training. Build once; tune for each jurisdiction's specific reporting and governance requirements.

NIS2 Compliance Tool — Track Your Compliance

SaasLab's NIS2 Compliance tool helps organisations track obligations, manage their risk register, and document security measures for both UK NIS and EU NIS2 requirements in one place.

Check your NIS2 compliance →