The EU NIS2 Directive came into force in October 2024, replacing the original NIS Directive with significantly broader scope, stricter requirements and substantially higher penalties. While NIS2 is an EU instrument, UK businesses are not off the hook — if you supply goods or services to EU-regulated entities, or operate in sectors covered by the directive, your customers will require you to demonstrate compliance as a condition of doing business.

Who Does NIS2 Actually Apply To?

NIS2 covers two tiers of organisations:

  • Essential entities — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
  • Important entities — postal and courier services, waste management, chemicals, food, manufacturing, digital providers (search engines, social platforms, online marketplaces), research organisations

The size thresholds are: medium enterprises (50+ employees or €10M+ turnover) in covered sectors are automatically in scope. Smaller organisations may be included if they are deemed critical to the supply chain of an essential entity.

For UK SMBs, the practical trigger is your customer base. If you are a managed service provider, software vendor, or IT supplier to any EU-regulated business, expect to receive NIS2 compliance questionnaires as part of their third-party risk management obligations.

What NIS2 Actually Requires

Article 21 of NIS2 mandates a minimum set of cybersecurity risk management measures. These are not vague principles — they are specific controls:

1. Risk Analysis and Information System Security Policies

You must have a documented, board-approved information security policy and a formal risk assessment process. Ad hoc security is not sufficient. The policy must be reviewed at least annually and after significant incidents.

2. Incident Handling

NIS2 introduces strict incident notification timelines: an early warning to the relevant CSIRT within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. "Significant incident" is defined as one that causes or could cause severe operational disruption or financial loss.

3. Business Continuity and Crisis Management

Documented and tested business continuity plans, backup management, and disaster recovery procedures are mandatory. Backups must be tested — not just taken.

4. Supply Chain Security

This is the clause that catches UK SMBs. You must assess and manage the cybersecurity risks posed by your own suppliers and service providers. If you are a supplier to an NIS2-covered entity, they must assess you. Expect questionnaires, audits and contractual security requirements.

5. Network and Information System Security

Vulnerability management, patch management, network segmentation, access controls and encryption are all explicitly required. MFA is specifically called out as a mandatory control.

6. Cybersecurity Training

Regular security awareness training for all staff, and specialised training for those with security responsibilities, is required. Training must be documented.

The Penalties

For essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: up to €7 million or 1.4% of global annual turnover. Member states can also impose temporary bans on senior management from exercising management functions — a significant personal liability for directors.

A Practical NIS2 Readiness Checklist for UK SMBs

  1. Determine whether you are directly in scope or in scope via supply chain obligations
  2. Conduct a formal risk assessment against the NIS2 Article 21 controls
  3. Document your information security policy and get board sign-off
  4. Implement and test a documented incident response plan with the 24/72-hour notification workflow
  5. Audit your backup and DR procedures — test restoration, not just backup creation
  6. Deploy MFA across all systems — no exceptions
  7. Implement a vulnerability management programme with defined remediation SLAs
  8. Conduct a supply chain security review of your own critical suppliers
  9. Run documented security awareness training and keep records
  10. Assign a named individual responsible for NIS2 compliance (equivalent to a vCISO function)

How NIS2 Relates to ISO 27001 and Cyber Essentials

If you already hold ISO 27001 certification, you are well positioned — the ISMS framework maps closely to NIS2 requirements. Cyber Essentials covers the technical baseline but does not address governance, incident response or supply chain requirements. You will need to supplement it.

If you are starting from scratch, we recommend treating NIS2 compliance as an opportunity to build a proper ISMS rather than a tick-box exercise. The controls required are the same ones that will protect your business regardless of regulatory obligation.

Baycop provides NIS2 readiness assessments, gap remediation and ongoing compliance monitoring. Book a free NIS2 readiness call to understand your current exposure.