Europe’s new cyber rules: NIS2 and the UK NIS Bill in practice

Cybersecurity regulation in Europe is moving from niche to mainstream. For many years, “NIS” was something energy companies and telecoms operators worried about. That is no longer true. With the EU’s NIS2 Directive and the UK’s proposed Cyber Security and Resilience (NIS) Bill, a much wider range of digital and technology businesses now find themselves treated as part of critical infrastructure.

Both regimes are designed to deal with the same reality: modern cyber incidents often spread through shared infrastructure and service providers. Attacks on managed service providers, data centres or cloud platforms can quickly cascade across sectors. The EU and UK are therefore tightening rules not only for traditional operators of essential services, but also for the digital suppliers that sit behind them.

From NIS1 to NIS2 – a broader, tougher EU regime

NIS2 is the EU’s updated framework for “Network and Information Security”. It applies to “essential” and “important” entities in 22 sectors, ranging from banking, transport and health to telecoms, digital service providers, data centres, managed ICT service providers and manufacturing.

One of the most important changes from the original NIS Directive is how scope works. Under NIS1, entities generally had to be designated by national authorities before obligations applied. Under NIS2, if you operate in one of the listed sectors and meet the size thresholds, you are automatically in scope. There is no need to wait for a formal designation.

The size thresholds themselves are not high for larger groups. Essential entities are typically organisations in “highly critical sectors” with more than 250 employees and annual turnover above EUR 50 million; important entities are usually mid sized organisations with more than 50 employees and turnover above EUR 10 million. These thresholds are calculated at group level. A relatively small EU subsidiary can therefore be treated as an essential or important entity if it belongs to a larger group that exceeds the thresholds.

Once in scope, entities must register with the relevant authorities, implement appropriate cybersecurity measures for their network and information systems, and report significant incidents within strict timelines. NIS2 also makes clear that responsibility sits at the top: the management body of the company is expressly responsible for compliance, and fines for non compliance have been increased.

NIS2 has an extraterritorial element as well. Providers of certain digital services – such as cloud services, managed IT services, social network platforms and online marketplaces – that offer services into the EU without an establishment must appoint an EU representative. If they do not, each Member State in which they provide services can claim jurisdiction and enforce NIS2 against them.

Although Member States were supposed to implement NIS2 into national law by October 2024, many have not yet finalised their legislation. In parallel, the European Commission has proposed amendments that would allow companies to demonstrate compliance through cybersecurity certification under the EU Cyber Security Act, and would empower the Commission to adopt implementing laws to clarify the rather generic cybersecurity requirements in the Directive. Over time, this is likely to push the market towards recognised EU level certifications as a way of showing regulators and customers that systems meet NIS2 standards.

The UK’s NIS Bill – catching up with NIS2

Because NIS2 does not apply in the UK after Brexit, the UK government is using the Cyber Security and Resilience (NIS) Bill to modernise its own regime and close the gap with the EU. The Bill has passed second reading and is at committee stage, so it is a live reform rather than a distant idea.

The direction of travel is similar to NIS2. The Bill expands the scope of the UK regime to bring in new types of services and to give regulators power to designate “critical suppliers”. This is driven by real incidents, including a 2024 cyberattack on a managed service provider that handled payroll services for the Ministry of Defence.

Two categories are particularly important. First, managed service providers: medium and large MSPs providing ongoing networked services will be regulated, with the ICO as their competent authority and a focus on resilience obligations. Second, data centres: larger data centres will be treated as operators of essential services, including commercial data centres at 1 megawatt or above and enterprise data centres over 10 megawatts. The thresholds apply on a site by site basis, so operators will need to assess each facility individually.

Incident reporting will also become more demanding. The Bill moves away from a narrow focus on incidents that have already caused disruption. It extends reporting to incidents that could lead to serious future harm, such as system compromise or pre positioning by attackers. It introduces a two stage model: an initial notification within 24 hours, followed by a fuller report within 72 hours, to both the sector regulator and the National Cyber Security Centre. Affected customers must also be notified.

On enforcement, the Bill adopts a GDPR style fining model. Maximum penalties rise to up to GBP 10 million or 2% of global turnover, and up to GBP 17 million or 4% of global turnover for the most serious breaches. For groups with significant global revenues, this creates real financial exposure even where the UK footprint is relatively modest.

The detail of what counts as “appropriate and proportionate” security measures will be fleshed out in codes of practice issued by the Secretary of State. These codes will not be strictly binding, but they will be persuasive evidence of compliance or non compliance. In the meantime, organisations can look to NIS2 standards and existing NCSC frameworks as a good indication of what “good” will look like under the UK regime.

Practical implications and next steps

Although the EU and UK regimes differ in legal form – a Directive implemented nationally versus a domestic Bill – the practical expectations are converging. Both treat certain digital and infrastructure services as critical; both extend obligations into the supply chain; both tighten incident reporting; and both raise the stakes for boards and senior management.

For in house teams, a sensible starting point is a scope assessment. That means identifying which entities and services fall into NIS2 sectors or the UK Bill’s categories, including managed services, data centres, telecoms, digital platforms and other services that support critical sectors. For EU entities, it also means checking whether group level size thresholds are met, and for non EU digital providers, whether an EU representative is required.

The next step is to align governance and incident response with the new expectations. Boards and senior management should understand that cybersecurity is now a regulatory obligation with personal accountability. Incident response plans need to support rapid detection, escalation and reporting within the timelines set by NIS2 and the UK Bill, including coordination across jurisdictions and with customers.

Finally, organisations should keep an eye on secondary legislation and guidance. In the EU, implementing acts and cybersecurity certification schemes under the Cyber Security Act will become increasingly important in demonstrating NIS2 compliance. In the UK, forthcoming codes of practice will set out what regulators expect in terms of security measures and resilience.

The overall message is clear: in Europe, cybersecurity for digital and infrastructure services is now being regulated in the same way as other forms of critical infrastructure. Treating NIS2 and the UK NIS Bill as central to risk management and product strategy – rather than as narrow compliance exercises – will put organisations in a much stronger position as enforcement ramps up.