NIS2 Is Here: What UK Critical Infrastructure Suppliers Need to Know

NIS2 replaced the original NIS Directive, which came into force in 2018, with a substantially expanded scope and significantly higher requirements. The scope expansion is the first important point for UK organisations: NIS2 applies not only to operators of essential services, but to a much wider range of sectors and a much larger population of entities within those sectors.

The sectors covered under NIS2 include energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. Within each sector, the threshold for being classified as an 'essential' or 'important' entity is lower than under the original directive. More organisations are in scope. More UK organisations are in scope - through their EU operations, their EU customers, or their participation in EU-facing supply chains - than may realise.

The security requirements under NIS2 are more prescriptive than under the original directive. They include specific requirements for risk analysis and information system security policies, incident handling, business continuity, supply chain security, procurement policies, vulnerability handling, and the use of encryption. Notably, NIS2 explicitly requires supply chain security - organisations must assess and manage security risks in their supply chains, including the relationships between security measures across their supplier network.

The incident reporting requirements are demanding: significant incidents must be reported to national authorities within 24 hours of detection (early warning), with a more complete report within 72 hours and a final report within one month. These timelines are tight and require incident management processes that are in place before an incident occurs.

For UK organisations, the question of direct applicability is complex. The UK's own NIS framework - the NIS Regulations 2018 and the forthcoming Cyber Resilience and Infrastructure Protection Bill - is not identical to NIS2. UK organisations are not directly subject to NIS2 unless they operate in the EU or are subject to EU jurisdiction in other ways. However, UK organisations that supply EU CNI operators are increasingly being required to demonstrate NIS2 compliance as a supply chain security requirement - regardless of whether they are directly subject to the directive.

The practical guidance is straightforward: if you operate in EU corridors, supply EU CNI operators, or participate in EU-facing supply chains, assess your NIS2 position now. The requirements are in force. The penalties - up to €10 million or 2% of global annual turnover - are substantial. The time to discover you are non-compliant is not during an incident or a regulatory inspection.