NIS2 in the United Kingdom

The United Kingdom (UK) formally left the European Union in 2020, with the transition period concluding on December 31, 2020. Consequently, the UK is no longer required to transpose EU Directives into national law. However, the 2016 EU Network and Information Security Directive (NIS1) was transposed into UK law prior to Brexit and remains in effect, while there are NIS2 harmonizations planned.

Status of NIS1
Scope of NIS1
CS&R (NIS2)
Further Information

The newly elected UK Labour government, which took office in 2024, has announced its plans to introduce the Cyber Security and Resilience Bill to Parliament in 2025. First announced in July 2024, the CS&R Bill aims to improve the UK’s cross-sector cyberssecurity framework by updating the existing UK NIS1 regulations in line with EU NIS2 requirements.

EU NIS in the United Kingdom

Current status

The UK implemented the NIS Directive (2016/1148) through the NIS Regulations 2018, which came into force on May 10, 2018 as part of the UK’s £2.8b National Cyber Strategy.

An EU NIS2 follow-on for the UK is currently under development with the CS&R Bill. The UK government is keen to maintain alignment with developments in EU legislation, in particular EU NIS2, noting that previous EU regulations have been superseded (...) and require urgent updating in the UK to ensure that our infrastructure and economy are not comparably more vulnerable.

The Information Commissioner's Office (ICO) is the UK regulator (competent authority) for data protection and oversees relevant digital service providers (RDSPs) under NIS1. For Operators of Essential Services (OES), the UK assigned sector-specific competent authorities.

In conjunction with the NIS Regulations, the UK implemented an act for digital service providers (DSP Regulation), which sets out security requirements and incident reporting thresholds for some entities.

Responsibilities

The UK has defined the competent authorities and Computer Security Incident Response Teams (CSIRTs) under EU NIS1 as follows:

Government Communications Headquarters (GCHQ) serves as the Single Point of Contact (SPOC) for cybersecurity issues in the UK.
National Cyber Security Centre (NCSC), which is part of GCHQ, acts as the UK’s primary Computer Security Incident Response Team (CSIRT), responsible for coordinating and responding to significant cybersecurity incidents.
NCSC is the UK’s technical authority on cyber threats, providing a unified national response to cybersecurity challenges and supporting public and private sector organizations.
While GCHQ (via NCSC) is the SPOC and plays a central role, regulatory oversight is not centralized in the UK. In some cases additional regulators have been given additional oversight responsibilities:

Sector specific competent authorities under NIS1 in the UK (2018)
NIS Sector	Subsector	Competent Authority
Energy	Electricity	Secretary of State for Energy Security and Net Zero (England, Wales and Scotland) and the Office of Gas and Electricity Markets (Ofgem) Authority jointly The Department of Finance (Northern Ireland)
	Oil	Secretary of State for Energy Security and Net Zero (England, Wales, Scotland) Department of Finance (Northern Ireland)
	Gas	Secretary of State for Energy Security and Net Zero for the essential services (England, Wales, Scotland) Otherwise, the Secretary of State for Energy Security and Net Zero and The Gas and Electricity Markets Authority (acting jointly) The Department of Finance (Northern Ireland)
Transport	Air Transport	Secretary of State for Transport and Civil Aviation Authority (jointly) (UK)
	Rail Transport	Secretary of State for Transport (England and Wales and Scotland) Department of Finance (Northern Ireland)
	Water Transport	Secretary of State for Transport (United Kingdom)
	Road Transport	Secretary of State for Transport (England and Wales) Scottish Ministers (Scotland). Department of Finance (Northern Ireland)
Health	Health care	Secretary of State for Health (England). Welsh Ministers (Wales) Scottish Ministers (Scotland). Department of Finance (Northern Ireland)
Drinking Water Supply and Distribution		Secretary of State for Environment, Food and Rural Affairs (England) Welsh Ministers (Wales). Drinking Water Quality Regulator for Scotland (Scotland). Department of Finance (Northern Ireland)
Digital Infrastructure		Office of Communications (Ofcom) (United Kingdom).

Scope of UK NIS

Entities

NIS Regulations apply to Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs), as defined under Part 3 (Art. 8-11) and Part 4 (Art. 12-14) of NIS Regulations. OES are organizations that provide services critical to the economy and society, RDSPs offer specific digital services.

Operators of Essential Services (OES)

An OES provides an essential service where:

The service depends on network and information systems.
An incident would have significant disruptive effects on that service.
Head office located in the United Kingdom, or
A nominated representative based in the UK.
Employs ≥ 50 FTE staff or has an annual turnover/balance sheet total >EUR 10m.

Obligations of an OES covered by UK NIS:

Nominate a UK-based representative in writing with authority to act on their behalf.
Notify the designated competent authority with relevant information (name, address, contact)

Relevant Digital Service Providers (RDSP)

An RDSP provides one or more of the following services:

Online marketplace
Online search engine
Cloud computing service
Head office is outside the UK but offers digital services within the UK
Not a micro or small enterprise (<50 FTE staff and annual turnover/balance sheet total < EUR 10m)

Obligations of an RDSP covered by UK NIS are:

Notify the designated competent authority with relevant information (name, address, contact)

Sectors in UK NIS

NIS Regulations in the UK define in Schedule 2 (comparable to EU NIS Annex II) sector-specfic threshold requirements and differentiates between Great Britain and Northern Ireland. Thresholds for sectors and subsections under NIS are:

Sector Subsector	Threshold Great Britain	Threshold Northern Ireland
Energy (sector)
Electricity supply	Electricity undertakings that carry out the function of supply to >250,000 final customers; or electricity undertakings that carry out the function of supply, or electricity undertakings that carry out the function of supply, and generation via generators that when cumulated with the generators operated by affiliated undertakings would have a total capacity, in terms of input to a transmission system, ≥ 2 gigawatts	The holder of a supply licence under Art. 10 (1)(c) of the Electricity (Northern Ireland, hereafter 'NI') Order 1992 M21 who supplies electricity to >8,000 consumers, and the holder of a generation licence under Art. 10(1)(a) of the same legislation with a generating capacity ≥ 350 megawatts. Nuclear electricity generators and generators that are not connected to a transmission system are excluded
Electricity transmission	Transmission system operators with a potential to disrupt delivery of electricity to > 250,000 final customers; holders of offshore transmission licences where the offshore transmission systems of that licence holder and its affiliated undertakings are directly connected to generators, that have a total cumulative capacity, in terms of input to a transmission system, ≥ 2 gigawatts; or holders of interconnector licences where the electricity interconnector to which thelicence relates has a capacity, in terms of input to a transmission system, ≥1 gigawatt	The holder of a transmission licence under Article 10(1)(b) of the Electricity (NI) Order 1992 M23
Electricity distribution	Distribution system operators with the potential to disrupt delivery of electricity to > 250,000 final customers.This does not include transmission systems for which an offshore transmission licence or interconnector licence applies	The holder of a distribution licence under Article 10(1)(bb) of the Electricity (NI) Order 1992 M24
Oil upstream	For the essential service of the conveyance of oil through relevant upstream petroleum pipelines, the threshold requirement, in the UK is the operator of a relevant upstream petroleum pipeline which has a throughput of >3,000,000 tonnes of oil equivalent per year excluding natural gas, if that operator does not fall within another threshold requirement in relation to this pipeline under this schedule
Oil pipeline	Operators of any pipeline with throughput of >500,000 tonnes of crude oil based fuel per year (not including transmission of crude oil)	Operators of any pipeline with throughput of >50,000 tonnes of crude oil based fuel per year
Oil processing	A relevant oil processing facility (an operator of a facility with a throughput of >3,000,000 tonnes of oil equivalent per year) or A relevant upstream petroleum pipeline which is connected to and operated from a relevant oil processing facility (operator of a pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year)
Oil crude	Storage of 500,000 tonnes of crude oil based fuel, or Production of 500,000 tonnes of crude oil based fuel per year; or Supply of 500,000 tonnes of crude oil based fuel per year	The operator of a facility which has a storage capacity >50,000 tonnes of crude oil based fuel
Oil petroleum	A relevant offshore installation which is part of a petroleum production project (an operator of an installation with a throughput >3,000,000 tonnes of oil equivalent per year), or A relevant upstream petroleum pipeline which is connected to and operated from such an installation, [an operator of a pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year]
Gas supply	Supply undertakings that supply gas to >250,000 final customers	The holder of a supply licence under Article 8(1)(c) of the Gas (NI) Order 1996 M39 who supplies gas to >2,000 customers
Gas transmission	Transmission system operators with a potential to disrupt delivery to more than 250,000 final customers (does not include transmission systems for which an interconnector licence applies), or Holders of interconnector licences where the gas interconnector to which the licence relates has the technological capacity to input >20m cubic metres of gas per day to a transmission system	The holder of a gas conveyance licence under Art. 8(1)(a) of the Gas (NI) Order 1996
Gas distribution	Distribution system operators with a potential to disrupt delivery to >250,000 final customers	The holder of a licence under Article 8(1)(a) of the Gas (NI) Order 1996
Gas storage	Storage system operators where the storage facility has the technological capacity to input >20m cubic metres of gas per day to a transmission system	The holder of a licence under Article 8(1)(b) of the Gas (NI) Order 1996
Gas LNG	LNG system operators where the LNG facility has the technological capacity to input >20m cubic metres of gas per day to a transmission system	The holder of a licence under Article 8(1)(d) of the Gas (NI) Order 1996
Gas processing	An operator of a relevant gas processing facility, an operator of a facility with a throughput >3,000,000 tonnes of oil equivalent per year, or A relevant upstream pipeline and associated infrastructure that is connected to and operated from such a relevant gas processing facility, and critical to the continued operation of that facility, an operator of a pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year]
Gas petroleum	A relevant offshore installation which is part of a petroleum production project (other than a project which is primarily used for the storage of gas), or a relevant upstream petroleum pipeline which is connected to and operated from such an installation. An operator of an installation or pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year
Transport (sector)
Air transport aerodrome	For the essential service of the provision of services by the owner or manager of an aerodrome, the threshold requirement in the UK is an owner or manager of an aerodrome with annual terminal passenger numbers >10 million
Air transport air traffic	An entity which is granted a licence by the Secretary of State or the Civil Aviation Authority to provide en-route air traffic services in the UK, or An air-traffic service provider at any airport which has annual terminal passenger numbers >10 million
Air transport carrier	Air carrier which has >30% of the annual terminal passengers at any UK airport which has annual terminal passenger numbers >10 million; and >10 million total annual terminal passengers across all UK airports
Rail transport rail service	In GB, any operator of a mainline railway asset (exluding railway assets solely for the provision of international rail services; railway assets for metro, tram and other light rail, including underground, systems; heritage, museum or tourist railways, whether or not they are operating solely on their own network; and networks which are privately owned and exist solely for use by the infrastructure owner for its own freight operations or other passenger or freight services for third parties and operators of passenger or freight services on those networks (including high speed rail services)	Any railway undertaking in NI
Rail transport high-speed	For the essential service of high speed rail services the threshold requirement in the UK is an operator of a railway asset for high speed rail services
Rail transport metro	For the essential service of metros, trams and other light rail services (including underground services), the threshold requirement in the UK is an operator with >50 million annual passenger journeys
Rail transport international	For the essential service of international rail services the threshold requirement in the UK is an operator of a Channel Tunnel train or the infrastructure manager of the Channel Fixed Link
Water transport shipping	For the essential service of shipping in the UK, the threshold requirement is: a shipping company which handles >5 million tonnes of total annual freight at UK ports; and >30% of the freight at any individual UK port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK; it handles > 10% of the total liquid bulk traffic in the UK; or it handles >20% of the total biomass fuel traffic in the UK A shipping company with over 30% of the annual passenger numbers at any individual UK port which has annual passenger numbers greater than 10 million.
Water transport harbour	A harbour authority for a port which has annual passenger numbers greater than 10 million, or A harbour authority for a port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK, it handles >10% of the total liquid bulk traffic in the UK; or it handles >20% of the total biomass fuel traffic in UK.
Water transport port facility	An operator of a port facility which handles passengers at a port which has annual passenger numbers >10 million; or An operator of a port facility at a port which fulfils at least one of the following criteria (it handles more than 15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK; it handles >15% of the total liquid bulk traffic in the UK; or it handles > 20% of the total biomass fuel traffic in the UK), and where that port facility operator handles the same type of freight for which the port fulfils one of the criteria mentioned in the aforementioned criteria
Water transport vessels	An operator of vessel traffic services at a port which has annual passenger numbers >10 million; or an operator of vessel traffic services at a port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK; it handles >10% of the total liquid bulk traffic in the UK; or it handles 20% of the total biomass fuel traffic in the UK
Road transport	For the essential service of road transport services, the threshold requirement in the UK is a road authority (EU definition - Delegated Regulation (EU) 2015/962) responsible for roads in the UK that have vehicles travelling >50 billion miles in total on them. For the essential service of road services provided by Intelligent Transport Systems (EU definition - Article 4(1) of Directive 2010/40/EU), the threshold requirement in the UK is a road authority that provides Intelligent Transport Systems services which covers roads in the UK that have vehicles travelling >50 billion miles in total on them, per year
Health (sector)
Healthcare	Regionally (England, Wales, and Scotland) different thresholds. Generally defined under National Health Service Act (England, Wales) 2006 and National Health Service (Scotland) Act 1978	Health and Social Care Trusts within the meaning of HSC Trust in section 31 of the Health and Social Care (Reform) Act (Northern Ireland) 2009
Water (sector)
Water	The threshold requirement which applies to the essential service of the supply of potable water in the UK is the supply of water ≥200,000 or more people
Digital Infrastructure (sector)
Digital Infrastructure TLD	For the essential service of a TLD Name Registry, irrespective of its place of establishment (whether within, or outside of, the UK): ≥ 14 billion queries from any devices located within the UK in any consecutive 168-hour period for domains registered within the Internet Corporation for Assigned Names and Numbers
Digital Infrastructure DNS	For the essential service of a DNS resolver service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the UK): ≥ 500,000 different IP addresses used by persons in the UK in any consecutive 168-hour period For the essential service of a DNS authoritative hosting service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the UK): 100,000 or more domains registered to persons with an address in the UK
Digital Infrastructure IXP	For the essential service of an IXP provided by an IXP operator, irrespective of its place of establishment (whether within, or outside of, the United Kingdom): ≥ 30% market share amongst IXP operators in the UK, of interconnected autonomous systems

Security Measures in UK NIS

Cybersecurity measures as regulated by UK NIS1 are split into obligations for OES (Operators of Essential Services) and RDSP (relevant digital service providers ).

OES Cybersecurity

Follow the NCSC Cyber Assessment Framework (CAF) with 14 principles and 39 sector-specific outcomes
CAF principles include governance, risk management, and recovery planning
Proactively audited by sector-specific competent authorities (e.g., Ofgem, NHS Digital)
Report "significant impact" incidents (assessed by user numbers, duration, geographic spread) to sector-specific regulators within 72 hours

RDSPs Cybersecurity

Required to be compliant with Information Commissioner’s Office (ICO) guidelines and EU Regulation 2018/151 (on DSPs)
Adopt ISO/IEC 27001 (information security) and ISO/IEC 22301 (business continuity)
Monitored by ICO, with investigations triggered by incidents without routine audits (likely to change under forthcoming legislation)
Report substantial impact incidents (service disruptions) to ICO within 72 hours

Sanctions

UK NIS Regulations introduced a structured system of fines for non-compliance:

Up to £1m for any contravention that could not result in a NIS incident.
Up to £3.4m for a material contravention that has caused or could cause an incident leading to a significant reduction in service.
Up to £8.5m for a material contravention that has caused or could cause an incident resulting in a major disruption of service.
Up to £17m for a material contravention that has caused or could cause an immediate threat to life or a significant negative impact on the UK economy.
Continuous learning and adaptation to enhance compliance.

The UK Competent Authority determines the appropriate level of fines based on the severity of the incident and the level of compliance by OES, with a maximum fine of £17m.

Cyber Security and Resilience (CS&R)

Forthcoming legislation and NIS2

In January 2022, the UK government launched a public consultation process on proposals for legislation to improve the UK's cyber resilience. When the process closed in November 2022, the responses provided the government's response and next steps for policy development. Within two weeks of the UK Labour Party's election in the 2024 general election, it announced plans to update the NIS Regulations from 2018 and improve cross-sector cybersecurity.

The current British Government has announced that it intends to present the Cyber Security and Resilience Bill to Parliament in 2025. The Bill, which was officially proposed as part of the King’s Speech (at the State Opening of Parliament) in July 2024, aims to strengthen the UK’s cross-sector cybersecurity legislation to better protect the British economy and infrastructure.

On April 1, 2025 the British Secretary of State (SoS) for Science, Innovation and Technology fist presented more concrete plans regarding the CS&R Bill. The Bill will expand and update the current legislation implemented in 2018 and will largly be in line with legislative adjustments made under NIS2.

As of April 2025, no Bill has been published but the UK Government has announced legislation will:

Expand the scope of covered entities (e.g. to MSPs and Data Centers) to ensure broader protection of digital services and supply chains.
Introduce stricter reporting obligations, requiring affected entities to report incidents more comprehensively, including cases of ransomware attacks.
Give a greater level of authority and powers to regulators (e.g. enable regulators to designate ‘Critical Suppliers, new powers for Sec. of State).
Strengthening supply chain security by setting stronger duties on OESs and RDSPs.
Introduce a two-stage reporting structure

National Differences (CS&R and NIS2)

The UK’s implementation of the Cyber Security and Resilience (CS&R) framework will likely feature the following national distinctions:

The UK government is considering including data centres within the scope by designating data infrastructure as a relevant sector and data as an essential service—subject to threshold criteria. This would apply to facilities with a capacity above 1MW, except for enterprise data centres, where the threshold would be set at over 10MW.
Introduction of new powers for the Secretary of State to issue a Statement of Strategic Priorities.
New executive powers enabling the government to direct an entity or authorise a regulator to take action in the interest of national security, subject to safeguards. This mirrors mechanisms in the Telecommunications (Security) Act 2021.

Scope

UK CS&R will cover Managed service providers (MSPs) for IT services and so-called Designated Critical Suppliers under its regulation for cybersecurity, analogous to EU NIS2.

CS&R aims to provide flexibility to refine the duties and threshold criteria through secondary legislation, subject to appropriate consultation, to ensure that the requirements can be updated in line with changes in technology, emerging threats and lessons learned from implementation.

Managed Service Providers (MSP)

As in EU NIS2, the CS&R Bill will bring Managed service providers (MSPs) into scope, defined in the policy statement from 1 April 2025 as:

Service provided to another organisation (i.e., not in-house)
Relies on the use of network and information systems (NIS) to deliver the service
Relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security
Involves a network connection and/or access to the customer’s network and information systems.

Designated Critical Suppliers (DCS)

Under the CS&R Bill, regulators will be able to individually designate a supplier as a DCS if the supplier's goods or services are so critical that disruption could have a significant impact on the essential or digital service it supports. DCSs are therefore expected to represent a very small number and percentage of suppliers providing goods or services to the OES and RDSP.

The designation will bring such suppliers directly within the scope of core security requirements and incident reporting obligations, ensuring consistent standards across supply chain.

The threshold criteria for the designation of DSCs are to be finalized with forthcoming Drafts:

The supplier provides goods or services (including digital services) to an OES (regulated by that regulator) or to an RDSP (in the case of the ICO).
The regulator judges that a failure or disruption in that supplier’s goods or services – or an incident affecting the supplier’s network and information systems – could have a significant disruptive effect on the provision of the essential or digital service.
The supplier’s goods or services depend on NIS, making them relevant to the scope of the regulatory framework. This is intended to ensure that suppliers only fall within scope if their goods or services involve or rely upon technology (e.g. IT infrastructure or OT) that could be targeted or disrupted.
The supplier is not subject to similar cyber resilience regulations elsewhere (e.g., under Part 2 of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021) or under the 2018 Regulations.

Small and medium enterprises (SME)

In addition, the CS&R Bill is expected to extend regulation to certain SME RDSPs. While under the NIS Regulations, small and micro RDSPs are exempt from the 2018 Regulations as described above, the forthcoming Bill may change this. UK regulators might designate smaller RDSPs as critical suppliers if they meet the DSC designation criteria to ensure regulation of high-risk providers regardless of size.

Reporting

According to the UK government, significant cyber and network disruptions go unreported under the NIS Regulations. This limitation hinders the ability to identify and assess vulnerabilities in critical systems. The government views adjustments to the reporting of significant cyber incidents as an essential tool for regulators and the NCSC to better understand the evolving threat landscape.

The Cyber Incident Reporting Bill seeks to update and enhance the current incident reporting requirements for regulated entities by introducing the following key changes:

Expanding the incident reporting criteria.
Updating the timeframes for incident reporting.
Streamlining the reporting process.
Enhancing transparency requirements for digital services and data centres.

The Bill will be complemented by ongoing work on ransomware, which is under consultation. Both the Department for Digital, Culture, Media and Sport (DSIT) and the Home Office (British Department of the Interior) will continue to collaborate to ensure alignment with future frameworks, avoiding unnecessary duplication. These measures are intended to strengthen the position of regulators in addressing emerging risks, ultimately contributing to improved cyber resilience.

Major changes

Under current NIS regulations, an incident is reportable only if it disrupts the continuity of an essential or digital service. However, the UK government believes this scope is too narrow and excludes many important incidents. The Bill aims to expand the criteria to include incidents that may significantly impact the provision of essential or digital services, such as:

Compromising the confidentiality, availability, or integrity of a system.
Spyware attacks targeting Managed Service Providers (MSPs) that act as vectors to compromise other organizations.
Other incidents severely affecting the integrity of critical systems.

The Bill will introduce a two-stage reporting structure that requires regulated entities to:

Notify their regulator and inform the NCSC of a significant incident no later than 24 hours after becoming aware of it.
Submit a full incident report within 72 hours.

This initial notification will serve as an early warning, ensuring that the regulator is informed sooner than under current practices. This mirrors the requirements outlined in EU NIS2, ensuring consistency across jurisdictions.

To simplify the reporting process, regulated entities will be required to notify both their regulator and the NCSC at the same time. This will ensure that both parties receive the same information concurrently, fostering a more cohesive understanding of the threat landscape.

Entities providing digital services and data centres will be required to alert affected customers when a significant incident occurs. This requirement aims to promote greater transparency, openness, and accountability among service providers within the scope of the Bill.

Security measures

As of April 2025, no concrete announcements have been made regarding changes to security measures. The UK government has mentioned its intention to place the principles and objectives of the NCSC Cyber Assessment Framework on a stronger footing.

This section will be updated in due course.

Further Information

Sources

The Guide to NIS, Information Commissioner's Office, February 2025
Operators of Essential Services and the NIS Regulations, Website of IT Governance Ltd, March 2025
The Guide to NIS, Information Commissioner’s Office, February 2025
NIS Regulations. How does it differ from the EU version? Arcanum Cyber Security, March 2025
Operators of Essential Services and the NIS Regulations, Website of IT Governance Ltd, March 2025
The Network and Information Systems Regulations 2018, Website of the UK government, March 2025
Policy paper. Cyber security and resilience policy statement, Website of the UK government's Department for Science, Innovation & Technology, April 2025