Skip to content
FigCompliance
Compliance

The NIS2 Directive: What UK Businesses Need to Know in 2026

Fig Group Editorial
9 min read
Share:

The NIS2 Directive: What UK Businesses Need to Know in 2026

The NIS2 Directive represents one of the most significant shifts in European cybersecurity regulation since GDPR. Originally an EU regulation, its implications now extend across the UK through our post-Brexit alignment frameworks and direct adoption by UK regulators. For MSPs, risk teams, and corporate security leaders, 2026 marks a critical juncture where understanding and action converge.

What Is NIS2?

The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity framework designed to raise the minimum baseline of security requirements for essential and important entities. It replaces the original NIS Directive from 2016 with significantly expanded scope, tighter requirements, and steeper penalties for non-compliance.

Unlike the original NIS Directive, which focused narrowly on essential services (energy, water, transport, healthcare), NIS2 casts a much wider net. It now covers:

  • Essential entities: Operators of critical infrastructure in energy, water, transport, healthcare, digital infrastructure, and public administration
  • Important entities: Large organisations in food, manufacturing, chemicals, waste management, postal services, and other sensitive sectors
  • Supply chain dependencies: All organisations providing services to essential or important entities

    • This expansion means that even mid-market companies may find themselves classified as "important" entities, triggering mandatory compliance obligations.

    The Compliance Landscape in 2026

    The UK's approach to NIS2 has been pragmatic. Rather than directly transposing the EU directive, the UK Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and sectoral regulators have embedded NIS2-equivalent requirements into their own guidance and regulations. This means:

  • Banks and financial institutions are subject to FCA rules broadly aligned with NIS2
  • Energy and water operators fall under updated Ofgem and Ofwat cybersecurity standards
  • Healthcare organisations operate under NHS digital standards that mirror NIS2 principles
  • Telecoms providers face Ofcom requirements aligned with NIS2

    • For organisations outside these regulated sectors, the primary driver is contractual - customers and partners increasingly demand NIS2 compliance as part of due diligence and vendor risk management.

    Key Requirements Under NIS2

    NIS2 establishes a risk-management framework with five core pillars:

    1. Governance and Risk Management

    Organisations must implement comprehensive information security policies aligned to a documented risk management framework. This goes beyond compliance checklists - regulators now expect dynamic, evidence-based approaches to identifying, assessing, and responding to emerging threats.

    Governance structures must include:

  • Board-level accountability for cybersecurity
  • Documented risk assessment and management procedures
  • Regular review and update cycles (minimum annually)
  • Clear roles and responsibilities across the organisation

    • 2. Asset and Access Management

    NIS2 requires organisations to maintain continuous visibility of their IT assets, data flows, and access controls. This includes:

  • Hardware and software inventories updated in real-time
  • Configuration baselines for all systems
  • Multi-factor authentication for privileged access
  • Segregation of networks and systems by criticality

    • 3. Threat Detection and Response

    Organisations must implement continuous monitoring to detect anomalies, intrusions, and security incidents. This includes:

  • Intrusion detection systems (IDS) and endpoint detection and response (EDR)
  • Log aggregation and analysis for security events
  • Defined incident response procedures
  • Regular testing and simulation of incident scenarios

    • 4. Business Continuity and Resilience

    NIS2 requires organisations to maintain operational resilience through:

  • Backup and recovery strategies tested at least annually
  • Redundancy for critical services
  • Continuity plans tested under realistic scenarios
  • Clear recovery time objectives (RTO) and recovery point objectives (RPO)

    • 5. Supply Chain Security

    For the first time, NIS2 explicitly addresses third-party and supply chain risk through:

  • Contracts requiring suppliers to meet defined security standards
  • Ongoing monitoring of supplier security posture
  • Incident notification requirements from suppliers within 24 hours
  • Regular security assessments of critical dependencies

    • Penalties and Enforcement

    This is where NIS2 delivers teeth. The directive authorises national regulators to impose penalties that dwarf previous cybersecurity regulations:

  • Administrative penalties: Up to €10 million or 2% of annual global turnover (whichever is higher) for non-compliance with obligations
  • Increased surveillance: Regulators gain investigative powers to audit compliance at will
  • Incident reporting: Organisations must report "significant" incidents to regulators within 24 hours
  • Notification requirements: Affected individuals and customers must be notified of breaches unless risk is "low"

    • For a FTSE 100 company with £2 billion in annual revenue, 2% of turnover translates to £40 million in potential fines. The deterrent effect is immediate and substantial.

    Compliance Deadlines: What Happens When

    The transition timeline varies by country:

  • October 2024: EU member states deadline to transpose NIS2 into national law (most have missed or extended this deadline)
  • Q1-Q2 2025: Member states issuing implementing regulations and guidance
  • October 2024-October 2025: National cybersecurity authorities establishing competent authorities
  • 12 months post-implementation: Organisations must complete initial risk assessments and begin implementation
  • 24 months post-implementation: Organisations must achieve full compliance with all NIS2 requirements

    • For the UK, the FCA's implementation timeline suggests:

  • 2025: Guidance clarification and public consultation
  • 2026: Active enforcement begins for financial institutions and designated essential services
  • 2027: Compliance expectations fully embedded in regulatory assessments

    • Preparing Your Organisation in 2026

    The window to prepare is narrowing. Here's a pragmatic roadmap:

    Q1 2026: Assessment and Scoping

    Determine whether your organisation falls within NIS2 scope:

  • Are you an essential entity operator in your sector?
  • Are you classified as an important entity?
  • Are you a critical supplier to essential or important entities?
  • What are your customer expectations around NIS2 compliance?

    • Document your current security posture against the five NIS2 pillars above. Identify gaps using a recognised framework (ISO 27001, NIST Cybersecurity Framework, or CIS Controls).

    Q2 2026: Governance and Planning

    Establish governance structures and assign accountability:

  • Appoint a senior leader (CISO, Chief Risk Officer) responsible for NIS2 compliance
  • Document your risk management framework
  • Define compliance roles across security, operations, and business teams
  • Create a prioritised remediation roadmap

    • Q3 2026: Technical Implementation

    Deploy technology to address identified gaps:

  • Implement or upgrade asset management and CMDB tools
  • Deploy continuous monitoring (EDR, SIEM, vulnerability scanning)
  • Strengthen access controls and identity management
  • Test and document incident response procedures

    • Q4 2026: Monitoring and Review

    Establish ongoing compliance monitoring:

  • Deploy continuous compliance monitoring tools
  • Implement log aggregation and alerting
  • Define metrics and KPIs for each NIS2 pillar
  • Schedule quarterly reviews and board-level reporting

    • How Fig Supports NIS2 Compliance

    Fig Group's platform directly addresses the NIS2 compliance burden through:

  • Continuous Risk Assessment: Automated mapping of your security controls to NIS2 requirements, with real-time gap identification
  • Evidence Collection: Automated evidence gathering across your entire IT environment - logs, configurations, assessments - ready for regulator audits
  • Incident Tracking: Structured incident management with automatic regulatory notification workflows
  • Supply Chain Monitoring: Continuous security posture assessment of third-party providers against defined criteria
  • Multi-Framework Alignment: Evidence collected for NIS2 simultaneously supports ISO 27001, Cyber Essentials, and other frameworks

    • The Bottom Line

    NIS2 compliance is no longer optional in 2026 - it's foundational. The directive forces organisations to shift from compliance theatre (audits, reports, certifications) to genuine operational security maturity.

    The organisations best positioned to succeed are those that start their assessment and planning now. By summer 2026, you should have a clear understanding of your obligations, documented your current posture, and begun remediation. By the end of 2026, continuous monitoring and evidence collection should be operational.

    The cost of action pales in comparison to the cost of inaction: a £40 million fine, regulatory scrutiny, and reputational damage. The time to prepare is now.

    Want to see how Fig handles this?

    Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ compliance standards.

    Request a demo

    Related solutions

    Compliance AutomationPolicy ManagementAudit Management