.avif)
3 Ways NIS2 Will Affect UK Companies (Yes, We're Serious)
The EU's NIS2 Legislation Will Probably Affect Your UK Business. Here's How.
Despite Brexit's determination to break from the EU, many UK companies still do business with and within the EU in some capacity, meaning that EU legislation may not directly impact UK businesses, but it can still heavily influence them — as is the case with NIS2.
While the UK does have its own cybersecurity legislation such as the Cybersecurity and Resilience Bill, the recent EU-driven initiative compels all vendors and partners to comply with NIS2. So by proxy, any UK partners involved in an EU company's supply chain might be up a creek without a paddle if they don't comply. It would behoove UK companies to be up-to-date on the legislation and even adhere to it if they don't want to lose business or close down their international locations.
We get it — it's hard to care about other countries' legislation if it isn't directly affecting you. But in our globalized world, everything is interconnected, even EU regulation... Such large directives have rippling effects that you can and should anticipate.
But what is NIS2, what are its implications for non-EU partners, and how can you stay ahead of the curve without dedicating too many resources to it? We'll answer all of these questions and more, so read on.
So, what even is NIS2?
NIS2, the Network and Information Security Directive, is new cybersecurity legislation that will apply to many companies within EU-countries. It is an updated form of the original NIS1 legislation that now prioritizes:
- Higher cybersecurity standards
- Expanded scope
- Stricter incident reporting
- Security among vendors and partners (read: The one that you should be most concerned with)
- Increased regulatory scrutiny
- Heavier penalties and fines for non-compliance
Whereas the previous NIS legislation applied only to essential services and some digital services, NIS2 categorizes applicable businesses into two categories — essential entities and important entities — each with their own scope and respective compliance requirements/penalties.
So, why should you care?
UK Companies with EU Operations or Clients Must Comply
"But we're not located in the EU. We just have partners there, so it won't apply to us, right?"
Wrong. Why should another country's laws dictate your business? Because life isn't fair, that's why. By EU law, any and all vendors or partners that EU companies work with must comply with NIS2, regardless of where they're located. So if you expect to keep uninterrupted business operations, you'll have to appease your clients lest they drop you entirely.
The new compliance scope includes UK businesses that:
- Have subsidiaries, offices, or a data center within the EU
- Supply critical services to EU-based companies
- Are involved in supply chains for EU companies
So, yes, it goes without saying that if you have operations in the EU you also must comply (and hopefully you're already on top of it).
Not already on top of it? Skip down to the NIS2 compliance checklist now.
Non-EU entities operating within the EU must appoint a representative within the EU to ensure compliance at those locations.
Higher Cybersecurity Standards Means…
But what does "higher standards" actually mean? Glad you asked.
…expanded scope of affected sectors
- Energy: Electricity, oil, gas, and others.
- Transportation: Logistics providers (including postal/courier services), as well as air, rail, water, and road transit companies.
- Banking: Any financial service or credit institution.
- Healthcare: Care providers, labs, and hospitals.
- Essential services: Companies that handle potable water, waste treatment/disposal, data centers, domain service providers, government entities at both regional and national levels, and more.
- Food production: Any company that processes or distributes food products.
- Manufacturing: Any manufacturer that deals with chemicals, medical devices, or pharmaceuticals.
- Digital services: This is extremely broad and far-reaching. It includes social networks, cloud services, online marketplaces, search engines, and any other service that is offered digitally.
Essentially, you'd be hard-pressed to find an industry that it doesn't apply to.
…stricter incident reporting requirements
A cybersecurity incident MUST be reported if it:
- Has the potential to disrupt essential services
- Affects supply chains or business operations
- Data breaches resulting in loss or compromising of internal data
- Impacts public safety and trust
When a cyber incident does occur, companies must now report them within 24 hours of its discovery, with follow-up reports after 72 hours (which detail the damage done) and a final report within one month (which provides a full analysis of long-term security improvements).
If the threat spreads or becomes worse, more frequent reports must be filed to the appropriate authorities. Additionally, companies must inform their customers if their data is at risk.
NIS2 also employs a zero-trust security model under which more frequent user verification is required. This subsequently tightens access control for internal tech stacks.
…tighter supply chain and vendor scrutiny
NIS2 places a heavy emphasis on supply chain and taking aim at third-party risks. Audits and due diligence of all partners' and vendors' cybersecurity measures must be completed to ensure they all comply with NIS2. Business continuity and crisis management plans are no longer a nice-to-have, but an absolute must-have.
Failure to comply will result in fines and/or loss of business with EU partners.
…increased regulatory scrutiny
Under NIS2, legal fines can easily amount to EUR 10 Million or more. As for UK businesses, hefty fines and potential bans from operating within the EU are definitely on the table.
Plus, if the EU’s stricter rules wind up influencing future UK cybersecurity legislation (which it already seems to be doing with the recent Cybersecurity and Resilience Bill), won't it be nice to be ahead of the curve?
What Do You Do if You're Affected? Keep Calm and Carry On With This NIS2 Checklist
1. Appoint an EU Representative
- If you operate in the EU but don’t have a physical presence, designate an EU-based representative to handle compliance.
- Ensure the representative is authorized to interact with regulators.
2. Implement Stronger Cybersecurity Measures
- Adopt a risk management approach with clear cybersecurity policies.
- Regularly audit and test security measures (penetration testing, vulnerability assessments).
- Protect critical assets using encryption, firewalls, and endpoint security.
- Ensure secure access control (multi-factor authentication, role-based access).
- Implement incident detection and response systems.
3. Meet Incident Reporting Requirements
- Develop a clear incident response plan.
- Be prepared to report cyber incidents within 24 hours.
- Submit a full report to EU authorities within 72 hours.
- Document security incidents for compliance audits.
4. Strengthen Supply Chain and Third-Party Security
- Ensure vendors and partners handling EU data comply with NIS2 security standards.
- Conduct regular risk assessments on third-party providers.
- Require cybersecurity clauses in supplier contracts.
5. Compliance and Governance
- Assign a Chief Information Security Officer (CISO) or compliance officer.
- Train employees on cyber risks and incident response.
- Keep records of risk assessments, compliance efforts, and audits.
- Implement business continuity and disaster recovery plans.
6. Monitor Changes and Penalties
- Stay updated on EU cybersecurity regulations.
- Be aware that non-compliance could result in fines up to €10 million or 2% of annual global turnover.
- Work with legal and cybersecurity consultants if needed.
Lastly, you need a strategic partner on your side that can help you make meaningful changes to become NIS2-compliant.
NIS2 Compliance Can be a Cakewalk
Cakewalk is the new standard in access management, designed to get you up-to-speed on NIS2 and other cybersecurity requirements.
We eliminate shadow IT, facilitate self-service access, automate on- and offboarding, help you run access reviews, and more. To learn more about how you can enhance access management in order to stay compliant with new legislation, get in touch today.
What have you done to prepare for NIS2? What are your thoughts? Join the conversation on LinkedIn or get in touch to share!
