Against the backdrop of a rich and evolving cyber risk landscape, NIS2 is a crucial step forward in helping businesses stay secure, resilient and future-ready.
Getting your Trinity Audio player ready...
null

While the EU’s new cybersecurity regulations may directly apply to the UK post-Brexit, NIS2 will influence business practices nonetheless, particularly from the cybersecurity and data protection perspective.

With the right approach, NIS2 compliance can be a game-changer — meeting regulatory standards and building a more secure and agile business.

Here’s what you need to know about the NIS2 directive to get ahead of the curve and confidently embrace the changes ahead.

NIS2: The what and the why

The NIS2 Directive builds on the foundation set by the original NIS1 Directive of 2016 to enhance the cybersecurity of critical infrastructure across Europe. It aims to improve resilience, reduce cyber risks and strengthen coordination between businesses and national authorities in responding to threats.

NIS2 brings more businesses into the fold. Its broader scope means more companies will benefit from more precise cybersecurity guidelines, equipping them to proactively prevent cyber-attacks.

For companies already following NIS1 standards, NIS2 allows them to take their cybersecurity to the next level with more comprehensive risk management and response systems. For businesses in newly included sectors, it ensures they can build resilience in the face of emerging digital threats.

Does NIS2 apply to UK-based companies?

The short answer is ‘Yes’. While the UK is no longer part of the EU, implementing NIS2 is still likely to impact UK businesses — particularly those that serve or are linked to EU markets1. Even if not directly regulated by the directive, the increased focus on cybersecurity throughout supply chains means businesses may still need to meet specific standards to ensure compliance.

For example, organisations that provide digital services to healthcare organisations or act as suppliers for the energy sector must ensure that they comply with NIS2’s requirements. Businesses interacting with those directly impacted by NIS2 will also be subject to the new cybersecurity obligations if they want to remain competitive.

Furthermore, while the UK government has yet to fully adopt NIS2, the newly introduced Cyber Security and Resilience Bill is widely acknowledged as the UK’s answer to the NIS2 regulations. Adopting NIS2-compliant measures now can, therefore, future-proof your cybersecurity against evolving regulations across the UK as well.

Essential vs. Important: Understanding your obligations

NIS2 classifies businesses into two broad categories based on the level of cybersecurity obligations they must meet: essential and important entities2. Understanding which category your business falls into is key to determining your compliance obligations.

  • Essential entities: Businesses that provide critical services and whose disruption could have a major societal or economic impact. These include industries like energy, banking, healthcare, finance, transport and other high-turnover sectors. They are expected to implement proactive cybersecurity measures for risk management, such as incident reporting and recovery plans.
  • Important entities: Companies in this category are still vital, but their disruption may not be as far-reaching. This includes sectors like manufacturing and research, food production, waste management and postal service providers. While the compliance requirements are less stringent for firms in these sectors, businesses must nevertheless implement good cybersecurity practices to mitigate risk and ensure business continuity.

Key NIS2 requirements: What you need to do

For UK businesses impacted by NIS2, compliance will require adopting specific cybersecurity practices and frameworks. Here are the essential requirements to consider:

  • Enhanced cybersecurity risk management
    Implement a comprehensive cybersecurity risk management framework3, with components such as regular vulnerability assessments and security features like encryption and multi-factor authentication.
  • 24-hour incident reporting
    Cyber incidents must be reported to relevant authorities within 24 hours4 — a significant reduction from the previous 72-hour window under NIS1. Any major data breaches compromising service availability or confidentiality must be reported to authorities within 24 hours, followed by detailed updates within 72 hours.
  • Stronger supply chain security
    UK businesses must assess their third-party suppliers and ensure they meet NIS2’s requirements to avoid jeopardising compliance.
  • Senior management responsibility
    Executive leadership must take responsibility5 for cybersecurity strategies and policies and will be held personally accountable for serious security breaches, with implications for directors’ and officers’ liability.

NIS2 vs. NIS1: What’s changed?

If your business is already familiar with NIS1, there are a few key updates to be aware of under NIS2:

  • Broader scope: NIS2 now applies to more industries, particularly those deemed part of critical infrastructure. Businesses attached to the following sectors, either as direct service providers or indirectly as a part of the supply chain, now fall under the prerogative of the NIS2 regulations:
    • Essential entities:
      • Energy (electricity, gas, oil)
      • Transport (aviation, rail, maritime and road)
      • Health (hospitals, pharmaceuticals)
      • Digital infrastructure (cloud services, data centres, internet exchange points)
      • Public administration and more
    • Important entities:
      • Food supply
      • Postal services
      • Manufacturing
      • Research
      • Waste management
  • Stronger enforcement and penalties: The new directive strengthens enforcement powers, with significant fines6 for non-compliance. Penalties for businesses that fail to meet NIS2 regulations can be as high as €10 million or 2% of global turnover, whichever is higher, for essential entities, and €7 million or 1.4% of global turnover, whichever is higher, for important entities.
  • Closer collaboration: NIS2 requires closer coordination7 with national authorities, enabling faster and more coordinated responses to cyber threats across the EU.

How Gallagher can help

The regulatory landscape around cybersecurity can feel overwhelming, but it’s vital to view NIS2 as an opportunity to enhance your business’s resilience against cyber threats. Gallagher's specialist Cyber Risk Management Practice team can help you understand your NIS2 obligation, assess your security position, identify gaps and navigate the necessary steps to support with compliance.

Our expertise includes:

  • Risk assessments
  • Cyber incident response plans
  • Supply chain risk management
  • Regulatory reporting compliance

Final thoughts

The NIS2 Directive marks a new era in cybersecurity regulations, with far-reaching implications for businesses across the UK and Europe. Understanding and complying with NIS2 will help you mitigate cyber risks, ensure long-term operational resilience, and help your business stay ahead of the curve.

Let Gallagher guide you through the NIS2 transition and help your business stay secure and compliant.

Sources

1. "Article 26 – Jurisdiction and Territoriality," NIS2 Directive, accessed 15 November 2024.

2. "Article 3 – Essential and important entities," NIS2 Directive, accessed 15 November 2024.

3. "Chapter II – Coordinated Cybersecurity Frameworks," NIS2 Directive, accessed 15 November 2024.

4. "Article 23 – Reporting Obligations," NIS2 Directive, accessed 15 November 2024.

5. "Chapter VIII – Delegated and Implementing Acts," NIS2 Directive, accessed 15 November 2024.

6. "NIS2 Fines: Get an Overview of The Potential Penalties for NIS2 Non-Compliance," NIS2 Directive, accessed 15 November 2024.

7. "Chapter III – Cooperation at Union and International Level," NIS2 Directive, accessed 15 November 2024

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles