Three quarters of UK firms unprepared for NIS2 regulations, study finds

Gold lock floating above a digitally rendered motherboard with blue and red glowing hues, denoting ransomware
(Image credit: Getty Images)

Three-quarters of UK organizations have yet to complete preparations for the EU’s Network and Information Security Directive (NIS2), according to a new study. 

With just one year to go until the deadline for implementation, a majority of UK organizations are yet to fully address and compensate for the five key compliance requirements outlined in the new regulations, SailPoint found. 

The new rules are an updated version of previous NIS regulations, introduced by the EU in 2018. 

NIS2 essentially aims to build on the previous regulations and implement more robust cyber security and resilience standards among EU organizations, as well as more stringent reporting measures in the event of a security incident. 

Under the updated regulations, all public and private entities operating in the EU will be required to adhere to new standards. The regulations specifically target organizations working in critical infrastructure sectors, such as energy, finance, and healthcare. 

SailPoint’s study, based on a survey of 1,500 IT decision makers across the UK, France, and Germany, found that many UK firms have yet to even begin preparations for the new rules. 

Four in five (80%) revealed they still need to properly secure supply chains while three-quarters (76%) said they have yet to assess the efficiency of existing cyber security measures.

Three-quarters of organizations also need to add new risk management measures (74%), implement HR security (76%), or provide cyber security training to staff (72%). 

SailPoint warned that those who fail to comply with the new obligations could face harsh penalties. Organizations can face fines of up to €10 million for non-compliance, or the equivalent of 2% of their annual turnover. 

“With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation,” said Stephen Bradford, senior vice president for EMEA at SailPoint.

“The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses."

Bradford said the current lax approach among some UK organizations bears similarities to the months preceding the implementation of the EU’s General Data Protection Regulation (GDPR). 


Ultimate guide to monitoring and logging requirements

(Image credit: Graylog)

Comply with multiple regulations and industry standards


He urged that businesses “must learn from GDPR” and use the next 12 months to ensure cyber resilience “is at the core of the business models” to avoid falling foul of the regulations. 

This is particularly important given certain aspects of the regulations pertaining to personal liability. 

Under the new rules, senior management could be held liable for cyber security failings and regulatory infringements if their organization does not comply with its obligations. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.