Is your UK business ready for NIS2?
In 2024, the introduction of the second Network and Information Security directive, known as NIS2 is set to reshape the cyber security landscape across Europe. While primarily an EU-wide regulation, many of its core principles are expected to be adopted in the UK by November 2024. So, what does this mean for UK businesses, and how can you ensure your organisation is ready for these changes?
What is NIS2?
The NIS2 directive is a piece of legislation designed to strengthen the cyber security resilience of ‘essential’ sectors (including healthcare and digital infrastructure providers) and ‘important’ sectors (including financial institutions and food suppliers) across Europe. It builds upon the original NIS directive (2016) but broadens the scope to include more business sectors, imposes stricter security requirements, and offers regulators the power to enforce greater penalties for non-compliance.
Does NIS2 apply to UK businesses?
Technically, because the UK is no longer bound by EU legislation, the NIS2 directive itself will not be implemented fully within the UK. However, UK businesses that operate in the EU or trade with EU companies will still need to comply with the directive. Moreover, the UK government is tightening its own cyber security regulations, incorporating some NIS2 principles, especially regarding supply chain security and incident reporting. Managed service providers, for example, are likely to come under greater regulatory scrutiny.
Preparing for NIS2
The cornerstone of NIS2 compliance lies in having an effective Information Security Management System (ISMS) that aligns with ISO 27001 standards. For UK businesses, achieving ISO 27001 certification already fulfils approximately 70% of NIS2 requirements, which include risk management, corporate accountability, reporting obligations, and business continuity planning.
If your organisation is already ISO 27001 certified, you are ahead of the curve. For businesses without this certification, investing in ISO 27001 can significantly simplify the journey toward NIS2 compliance. As the directive places considerable emphasis on robust risk management and the protection of digital services, ISO 27001 offers a solid foundation for meeting these requirements.
How will NIS2 impact UK businesses?
- Cyber Essentials becoming critical
With the growing importance of cyber security, the Cyber Essentials certification is fast becoming a necessity for businesses, especially for those trading with EU countries or operating in regulated sectors like insurance. For many companies, including managed IT service providers, obtaining Cyber Essentials certification will soon be mandatory. RedDoor is ahead of the game, holding both the Cyber Essentials and Cyber Essentials Plus certifications as part of its commitment to staying secure and compliant.
- Tighter security controls for key sectors
Sectors affected include healthcare, banking, finance, digital infrastructure, and the food industry, with businesses required to implement comprehensive cyber security measures. While medium-sized and large companies (those with over 50 employees or an annual turnover of €10 million) are primarily affected, smaller businesses may also need to assess their exposure if they are part of larger supply chains or operate in regulated sectors.
- Stricter sanctions
One of the significant changes brought by NIS2 is the toughened enforcement measures. Directors and management could be held personally liable for cyber security failures, and fines could reach as high as €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% of turnover for important entities. Failure to comply could also result in regulatory action that may suspend business operations.
Ready to take the next steps to become NIS2 compliant or want to learn more? Contact RedDoor today.
