Compliance Guide

NIS2 Compliance Checklist: What UK and EU Businesses Must Do in 2026

A practical NIS2 compliance checklist for UK and EU businesses in 2026. Scope, Article 21's ten measures, incident reporting timelines, management liability, and the UK parallel regime most guides miss.

NIS2 Compliance Checklist: What UK and EU Businesses Must Do in 2026

NIS2 is live. It has been for eighteen months. Most of the compliance content you’ll find online is still framing it as a future deadline to prepare for — which is understandable, because the transposition picture is genuinely messy, but it’s no longer accurate. As of March 2026, NIS2 is being enforced or is in the process of becoming enforceable in all EU member states. The question is no longer whether the directive applies to your organisation. The question is whether your compliance programme can withstand scrutiny when a competent authority looks at it.

This guide answers that question, honestly, for two distinct audiences: EU businesses directly in scope of NIS2, and UK businesses who think they’re in scope but usually aren’t (at least not directly). Both groups face real compliance obligations. They’re not the same obligations, and conflating them is the single most common error in the vendor-authored “NIS2 checklists” that dominate search results.

Where things actually stand in April 2026

The NIS2 Directive (Directive (EU) 2022/2555) came into force on 16 January 2023. Member States had until 17 October 2024 to transpose the NIS2 Directive into national law. That deadline passed eighteen months ago. What happened next is what always happens with EU directives on a tight transposition schedule: some member states met the deadline, some missed it by a year or more, and the Commission has been working through infringement proceedings against the laggards.

By March 2026, sixteen-plus EU and EEA countries have their national transposing legislation in place. Several more have legislation in committee or awaiting final adoption. The scale of ENISA’s guidance (stretching to nearly 200 pages of security measures) reinforces the extent of investment and documentation regulators expect for comprehensive NIS2 compliance. Entity registration is largely complete in the earlier-transposing jurisdictions, and competent authorities are now conducting systematic compliance assessments. This is the year of first enforcement actions, not the year of first deadlines.

There are two further developments worth knowing about. First, on 20 January 2026, as part of a new cybersecurity package, the Commission proposed targeted amendments to the NIS2 directive to increase legal clarity. The proposed amendments would simplify compliance for around 28,700 companies including 6,200 micro and small enterprises, and — significantly — add specific ransomware reporting obligations to the existing incident reporting regime. These amendments are a proposal, not yet law; they will proceed through ordinary EU legislative process and we’d expect them in final form no earlier than mid-2027. For now, plan against the existing text.

Second, there is a separate UK regime. We’ll come back to this.

Who is in scope: essential, important, or neither

NIS2 uses a size-capped, sector-based scoping mechanism. Two questions determine whether you’re in scope: which sector you operate in, and how big you are. The answers then determine whether you’re an “essential entity” (higher obligations, proactive supervision, higher fines) or an “important entity” (same baseline obligations, reactive supervision, lower maximum fines).

Sector test

NIS2 covers 18 sectors, split across two Annexes. Annex I covers eleven “highly critical” sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II covers seven “critical” sectors: postal services, waste management, manufacture and distribution of chemicals, production and distribution of food, manufacturing (of medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, and other transport equipment), digital providers (marketplaces, search engines, social networks), and research.

If your organisation’s primary activity falls in Annex I or Annex II, you may be in scope. Next comes the size test.

Size test

Large enterprise: at least 250 employees or exceeds €50 million in annual turnover and €43 million in annual balance sheet total. Medium-sized enterprise: fewer than 250 employees and an annual turnover not exceeding €50 million or an annual balance sheet total not exceeding €43 million. Small enterprise: fewer than 50 employees and an annual turnover or balance sheet total not exceeding €10 million.

The dividing line is between small and medium. NIS2’s size-cap rule excludes micro enterprises (fewer than 10 employees AND under EUR 2 million turnover) and small enterprises (fewer than 50 employees AND under EUR 10 million turnover) in most sectors. Medium and large enterprises in covered sectors are automatically in scope — no discretionary member state designation, which is a major change from NIS1.

Essential or important?

Once you know you’re in scope, the classification depends on both size and sector:

  • Large enterprises in Annex I sectors → essential entities. These face proactive supervision (the competent authority can audit you without needing a triggering incident), higher administrative fines (up to €10 million or 2% of global turnover, whichever is higher), and specific additional measures including potential suspension of certifications or temporary prohibition of senior management from exercising managerial functions.
  • Medium enterprises in Annex I sectors and most enterprises in Annex II → important entities. These face reactive supervision (audits triggered by evidence of non-compliance or incidents), and lower maximum fines (€7 million or 1.4% of global turnover).

Both categories face the same baseline cybersecurity obligations. The supervision intensity and the fine ceiling differ; the substantive security requirements do not.

Automatic scope regardless of size

A handful of entity types are in scope regardless of size: DNS service providers, TLD name registries, trust service providers, public electronic communications providers, and certain other digital infrastructure providers. If you’re in one of these categories, the size test doesn’t apply.

Supply chain reach

If you’re not directly in scope of NIS2 but you supply services to entities that are, expect contractual cybersecurity requirements to flow down to you through vendor due diligence processes. This is where NIS2 reaches well beyond the 160,000 directly-regulated entities. SMEs supplying regulated clients may need to demonstrate specific controls, hold specific certifications (ISO 27001 being the most common request), and be able to evidence incident response capability — not because NIS2 obliges them to, but because their clients’ NIS2 obligations require them to manage supply chain cyber risk. Plan accordingly.

The UK position: NIS2 does not directly apply

This is where we part ways with most of the content you’ll find. The UK is not an EU member state. NIS2, being an EU directive, does not have direct legal effect in the UK. A UK business that operates entirely in the UK and has no establishment, significant customer base, or service provision into the EU is not directly in scope of NIS2.

That is not the same as saying UK businesses have nothing to worry about. Three things are true simultaneously:

UK businesses providing services into the EU may still be in scope. If your organisation offers services to EU customers that fall within NIS2’s sectoral coverage, the directive’s extraterritorial provisions can pull you in. Digital service providers in particular (cloud services, data centres, online marketplaces, social networks) should assume they’re in scope if they have a meaningful EU customer base, and should consider designating an EU representative as required by the directive.

The UK has its own parallel regime that is similar, but not identical. The UK’s Network and Information Systems Regulations 2018 remain in force, and the government is currently progressing the Cyber Security and Resilience (Network and Information Systems) Bill through Parliament. The Bill underwent its second reading on 6 January 2026 and has since completed committee stage. Royal Assent is expected in late 2026, with phased implementation likely running through to 2028.

The Bill substantially expands the 2018 Regulations. It expands who must meet formal cyber security standards, tightens incident reporting timelines, and for the first time brings managed service providers under direct regulatory oversight. Penalty structure is broadly comparable to NIS2 but not identical: up to £10 million or 2% of global turnover for standard breaches, up to £17 million or 4% of global turnover for serious breaches, and up to £100,000 per day for ongoing contraventions.

UK businesses that are effectively ready for NIS2 will be well-positioned for the CS&R regime. The UK government has explicitly aimed for alignment with NIS2. The technical baseline for UK in-scope organisations remains the NCSC’s Cyber Assessment Framework (currently CAF v4.0), which covers substantially similar ground to NIS2’s Article 21 measures. There are divergences — dual notification to both sector regulator and NCSC, a “Designated Critical Supplier” mechanism that differs from NIS2’s supply chain provisions, and sector-specific regulator oversight instead of a single national CSIRT — but an organisation that has done serious NIS2 preparation is not starting from zero for the UK regime.

The key practical guidance for UK businesses: do not assume you can ignore NIS2 simply because you’re headquartered in the UK, and do not assume NIS2 compliance automatically produces CS&R compliance. Map your EU exposure, track the Bill through Parliament, and plan for two overlapping regimes rather than one. The scale of the threat landscape justifies the preparation cost: in the twelve months to the end of August this year, our Incident Management team was asked to support some 429 cyber incidents, with roughly half of those nationally significant.

The ten Article 21(2) measures

NIS2’s substantive cybersecurity obligations live in Article 21. Article 21(2) of the NIS2 Directive prescribes 10 minimum cybersecurity risk management measures that both Essential and Important entities must implement. Measures are technology-neutral and outcomes-based — the Directive tells you what to achieve, not how to achieve it.

The Commission has given the measures teeth through Commission Implementing Regulation (EU) 2024/2690, which translates Article 21’s broad language into binding technical and methodological requirements for digital infrastructure, ICT service management, and digital provider entities. ENISA published its Technical Implementation Guidance in June 2025 — nearly 200 pages — providing practical implementation guidance, evidence examples, and mappings to international standards.

The ten measures, as they actually read:

(a) Policies on risk analysis and information system security. The governance foundation. Documented information security policy covering the full control environment, management-approved, reviewed on a defined cadence, and operationalised through supporting policies and procedures. If your ISMS is already ISO 27001-certified, you likely have this covered.

(b) Incident handling. The incident response capability — detection, response, recovery, lessons learned. This needs to be a written, tested playbook, with defined roles, communication procedures, and integration with the mandatory incident reporting timelines in Article 23 (covered below). Tabletop exercises and simulations are expected to be part of the maintenance cycle, not one-time activities.

(c) Business continuity (including backup management, disaster recovery, and crisis management). Documented BCP/DR plans, tested at defined intervals, covering both the technical capability to recover and the organisational capability to operate through disruption. The CIR already requires entities to have BC/DR plans in place and to test them periodically, and ENISA’s guidance pushes further, recommending red-team-style attack simulations against recovery plans.

(d) Supply chain security (including security-related aspects concerning relationships between each entity and its direct suppliers). Vendor cybersecurity due diligence, contractual cybersecurity requirements, ongoing supplier risk monitoring, and specific attention to the most critical suppliers. This is one of the gaps for organisations coming from an ISO 27001:2013-era ISMS — ISO 27001:2022 and NIS2 both strengthened supply chain expectations materially.

(e) Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure). Secure development practices, patch management, vulnerability scanning, and coordinated vulnerability disclosure. Organisations producing or significantly modifying software are expected to have a secure SDLC. Organisations primarily consuming software are expected to have a vulnerability management programme.

(f) Policies and procedures to assess the effectiveness of cybersecurity risk management measures. Internal and/or external audit, KPIs and KRIs for the control environment, management review of security posture. The meta-control that keeps the other controls honest.

(g) Basic cyber hygiene practices and cybersecurity training. Security awareness training for all staff, with the management body explicitly required to undergo cybersecurity training (more on management liability below). The Commission Implementing Regulation expects this to be structured, role-appropriate, and evidenced.

(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption. A cryptographic control standard covering data at rest, data in transit, key management, algorithm selection, and a roadmap for post-quantum migration as NIST PQC standards mature.

(i) Human resources security, access control policies, and asset management. Joiners/movers/leavers processes with security gates, role-based access control, privileged access management for sensitive accounts, and an accurate, maintained asset inventory. This is the control area most often underestimated — asset management sounds dull until a regulator asks you which systems were affected by a specific incident and you can’t answer.

(j) The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate. MFA, essentially, with additional emphasis on secured communications for incident response. NIS2 requires companies to have security measures covering “the use of multi-factor authentication”, and the Implementing Regulation expands this into specific expectations around authentication factors and coverage.

For a deeper implementation walkthrough of each measure with ENISA evidence examples, see our companion piece: NIS2 Article 21 Explained: The Ten Minimum Measures in Practice.

Incident reporting: 24 hours, 72 hours, one month

NIS2’s Article 23 establishes mandatory incident reporting for “significant incidents” — defined broadly as incidents that have caused or are capable of causing severe operational disruption or financial loss, or affecting other natural or legal persons by causing considerable material or non-material damage.

The reporting cascade, as adopted from the directive into most member states’ transposing legislation:

  • Within 24 hours of becoming aware of a significant incident: an early warning to the national CSIRT or competent authority, indicating whether the incident is suspected of being caused by unlawful or malicious acts and whether it could have a cross-border impact.
  • Within 72 hours: an incident notification updating the early warning with an initial assessment of the incident, including its severity and impact, and where available, indicators of compromise.
  • Upon competent authority request: intermediate status reports.
  • No later than one month after the incident notification: a final report covering a detailed description of the incident, its severity and impact, the type of threat or root cause, applied and ongoing mitigation measures, and any cross-border impact.
  • If the incident is ongoing at one month: a progress report at one month, and a final report within one month of the incident’s resolution.

This is the baseline. Several member states have gone further. Cyprus requires early warnings within six hours of detection. Germany requires direct notification to affected individuals in specific circumstances. Hungary departed from the “main establishment” principle and requires separate registration and reporting for service providers operating in Hungary regardless of where the entity is headquartered. If you operate across multiple EU jurisdictions, you cannot assume a single reporting workflow serves all of them — the fragmentation is real, and it drives meaningful compliance cost.

The Commission’s January 2026 proposed amendments would add specific ransomware reporting obligations — details of whether a ransom was demanded, whether it was paid, and to whom — to the existing incident notification framework. This is a proposal, not yet in force, but it signals regulatory direction and informs how you should be designing the incident response runbook now.

Management body liability: the part executives often miss

Article 20 of NIS2 places explicit accountability on the management body for the cybersecurity programme. Board members and senior executives are personally responsible for approving cybersecurity risk management measures and overseeing their implementation. Management body members must also undergo cybersecurity training appropriate to their role.

The enforcement teeth:

  • Competent authorities can impose administrative sanctions directly on management body members for breaches.
  • In serious cases for essential entities, authorities can temporarily prohibit specific natural persons holding senior managerial or legal representative positions from exercising those functions until the identified breach is remedied.
  • Personal fines are possible in some transposing jurisdictions.

This is a material change from NIS1 and from most historical EU cybersecurity enforcement practice. The practical implications: cybersecurity investment decisions, risk acceptance decisions, and incident response decisions now have named accountable humans. “The IT team handles it” is no longer a defensible governance posture. Board-level cybersecurity oversight needs to be documented, evidenced, and regularly exercised — not a line item in the annual report.

NIS2 vs ISO 27001 vs SOC 2: where the controls overlap

Organisations looking at NIS2 compliance often already hold ISO 27001 certification or SOC 2 attestation, and want to know how much duplication is possible. The honest answer is: substantial overlap, but not identity. Here is how the three regimes relate across the major control domains.

Control DomainNIS2 Article 21ISO 27001:2022 Annex ASOC 2 Trust Services Criteria
Information security policy & risk management21(2)(a)A.5.1, A.5.2, Clause 6.1CC1.1, CC3.1–3.4
Incident handling21(2)(b)A.5.24–A.5.30CC7.3–7.5
Business continuity & disaster recovery21(2)(c)A.5.29–A.5.30, A.8.13A1.2, A1.3
Supply chain security21(2)(d)A.5.19–A.5.23CC9.1, CC9.2
Secure development & vulnerability management21(2)(e)A.8.25–A.8.34CC7.1, CC8.1
Control effectiveness assessment21(2)(f)Clauses 9.1–9.3CC4.1, CC4.2
Security awareness & training21(2)(g)A.6.3, A.7.3CC1.4, CC2.2
Cryptography21(2)(h)A.8.24CC6.1, CC6.7
HR security, access control, asset management21(2)(i)A.5.9–A.5.18, A.6.1–A.6.8CC6.1–CC6.8
Multi-factor authentication21(2)(j)A.8.5CC6.1

The practical implication: an organisation with a mature ISO 27001:2022 ISMS covers perhaps 80% of the NIS2 Article 21 control surface. The common gaps are supply chain depth (NIS2 expects more specificity on critical supplier management), management body training (explicit NIS2 requirement, looser in ISO 27001), incident reporting timelines (NIS2’s 24/72/one-month cascade is prescriptive; ISO 27001 requires the capability but not the timelines), and MFA coverage (NIS2 is more prescriptive about where MFA must be deployed). SOC 2 overlaps less cleanly because it’s organised around service commitment criteria rather than a control framework — the overlap is real but the mapping is less direct.

None of these is a substitute for NIS2 compliance. Regulators are assessing against NIS2’s text and the Implementing Regulation’s specifics, not against cross-mapped framework certifications. Your existing certifications are evidence accelerators, not compliance substitutes.

A 90-day practical checklist

For organisations that know or suspect they’re in scope and haven’t started the readiness work, or have started it and need to stress-test progress:

Days 1–30: Scope and gap. Confirm which legal entities are in scope and their classification (essential/important). Identify the relevant national competent authority in each member state where you operate. Commission a formal Article 21 gap analysis against the Commission Implementing Regulation and ENISA’s Technical Implementation Guidance. Identify the three-to-five largest gaps by risk and cost to remediate.

Days 31–60: Governance and reporting. Brief the management body on their personal obligations and scheduled cybersecurity training. Draft or update the incident response playbook to match the 24/72/one-month reporting cascade, and map the playbook to each jurisdiction where you operate. Register with the competent authority in each relevant member state (deadlines vary — some are now, some are still opening). Begin or refresh the third-party risk programme, prioritising the critical suppliers.

Days 61–90: Evidence and test. Build the evidence pack — control documentation, policy artefacts, test records, training evidence — that a competent authority audit would expect to see. Run a tabletop exercise against a significant incident scenario with the full reporting cascade to a mock authority. Identify remaining gaps and a realistic closure plan. Brief the board on residual risk and the programme trajectory.

This is the minimum-viable compliance posture for a mid-sized organisation with reasonable existing security maturity. Organisations starting from a lower baseline should expect 6–12 months to reach equivalent readiness, and should prioritise the Article 21 measures most likely to feature in early enforcement actions: incident handling (regulators see this during real incidents), supply chain security (high-profile breaches keep surfacing), and management body accountability (politically salient, easy for a regulator to evidence).

FAQ

Is NIS2 in force in my country yet?

As of March 2026, transposition is complete or substantially complete across most EU and EEA member states, with a small number finalising technical implementing measures. The directive’s obligations apply through the national transposing law in each country — check the specific transposition status for each jurisdiction you operate in via the European Commission’s transposition tracker.

My company is in the UK. Do I need to comply with NIS2?

Only if you provide in-scope services into the EU, in which case NIS2 can reach you extraterritorially. UK-only operations are subject to the UK’s NIS Regulations 2018 and the forthcoming Cyber Security and Resilience (Network and Information Systems) Bill, which is broadly similar but has divergences. If you have any meaningful EU-facing operations, you likely need to plan for both regimes.

What is the fine for non-compliance?

For essential entities, up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, up to €7 million or 1.4%. Member states may impose additional or different sanctions through their transposing legislation. The UK’s forthcoming regime has comparable penalty structures.

When is the Oct 2026 deadline I keep seeing referenced?

There isn’t a single universal “Oct 2026 NIS2 deadline” — this is one of the common misreadings. October 2024 was the transposition deadline, which has passed. Some member states’ national transposing laws have specific implementation dates that fall in 2026 (at least one member state’s legislation enters into force on 1 October 2026). Other national compliance deadlines vary. The applicable deadline is determined by the national law in each jurisdiction where you operate, not by the directive itself.

We hold ISO 27001. Does that mean we’re NIS2-compliant?

No, but it’s a substantial head start. A mature ISO 27001:2022 ISMS covers perhaps 80% of Article 21’s control surface. The typical gaps are supply chain depth, explicit management body training, incident reporting timelines, and MFA coverage. Expect a readiness gap analysis to identify 10–15 specific control enhancements needed on top of your existing ISO certification.

Do small businesses need to comply?

Generally no — NIS2’s size-cap rule excludes most small enterprises (fewer than 50 employees and under €10M turnover). Exceptions apply to specific entity types (DNS, TLD, trust services, electronic communications, and a handful of others) which are in scope regardless of size. Small businesses supplying in-scope entities may still face contractual cybersecurity requirements via supply chain due diligence.

How does NIS2 interact with DORA?

Financial services firms in scope of DORA are out of scope of NIS2’s equivalent provisions — DORA is the lex specialis for financial operational resilience. The two regimes cover overlapping ground (risk management, incident reporting, third-party risk) with different specifics. If you’re a financial services firm, start with our DORA guidance, not this checklist.

What’s the relationship between NIS2 and GDPR?

Separate regimes, sometimes overlapping. A significant NIS2 incident that involves personal data is both a NIS2 reportable incident and potentially a GDPR-reportable personal data breach. The reporting timelines differ (GDPR is 72 hours to the supervisory authority; NIS2 is 24 hours early warning plus 72 hours notification to the CSIRT). Cross-notification between NIS2 authorities and data protection authorities is expected.

Is cyber insurance affected by NIS2?

Materially, yes. Cyber insurers have been tightening underwriting for years, and the existence of a defined regulatory baseline like NIS2’s Article 21 gives them a natural reference point for coverage requirements. Expect insurer questionnaires to map increasingly to NIS2 measures, and expect demonstrable NIS2 compliance to affect premium calculations. See our 2026 cyber insurance guide for the broader picture.

This article is a practical overview of NIS2 compliance obligations for a general business audience. It is not legal advice. Where material compliance obligations apply, engage qualified legal counsel in each relevant jurisdiction. Cybersecurity Essential is an independent publication and has no affiliation with any of the compliance platforms, law firms, or vendors mentioned above — see our editorial standards for details.

Primary sources: European Commission (NIS2 Directive 2022/2555; Commission Implementing Regulation (EU) 2024/2690); ENISA Technical Implementation Guidance, June 2025; UK Government (Cyber Security and Resilience Bill supporting documents); UK NCSC Annual Review 2025.