Three quarters of UK firms unprepared for NIS2 regulations, study finds
Senior management can be held personally liable for non-compliance under NIS2 rules


Three-quarters of UK organizations have yet to complete preparations for the EU’s Network and Information Security Directive (NIS2), according to a new study.
With just one year to go until the deadline for implementation, a majority of UK organizations are yet to fully address and compensate for the five key compliance requirements outlined in the new regulations, SailPoint found.
The new rules are an updated version of previous NIS regulations, introduced by the EU in 2018.
NIS2 essentially aims to build on the previous regulations and implement more robust cyber security and resilience standards among EU organizations, as well as more stringent reporting measures in the event of a security incident.
Under the updated regulations, all public and private entities operating in the EU will be required to adhere to new standards. The regulations specifically target organizations working in critical infrastructure sectors, such as energy, finance, and healthcare.
SailPoint’s study, based on a survey of 1,500 IT decision makers across the UK, France, and Germany, found that many UK firms have yet to even begin preparations for the new rules.
Four in five (80%) revealed they still need to properly secure supply chains while three-quarters (76%) said they have yet to assess the efficiency of existing cyber security measures.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Three-quarters of organizations also need to add new risk management measures (74%), implement HR security (76%), or provide cyber security training to staff (72%).
SailPoint warned that those who fail to comply with the new obligations could face harsh penalties. Organizations can face fines of up to €10 million for non-compliance, or the equivalent of 2% of their annual turnover.
“With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation,” said Stephen Bradford, senior vice president for EMEA at SailPoint.
“The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses."
Bradford said the current lax approach among some UK organizations bears similarities to the months preceding the implementation of the EU’s General Data Protection Regulation (GDPR).
RELATED RESOURCE
Comply with multiple regulations and industry standards
DOWNLOAD NOW
He urged that businesses “must learn from GDPR” and use the next 12 months to ensure cyber resilience “is at the core of the business models” to avoid falling foul of the regulations.
This is particularly important given certain aspects of the regulations pertaining to personal liability.
Under the new rules, senior management could be held liable for cyber security failings and regulatory infringements if their organization does not comply with its obligations.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Apple, Meta hit back at EU after landmark DMA fines
News The European Commission has issued its first penalties under the EU Digital Markets Act (DMA), fining Apple €500 million and Meta €200m.
By Nicole Kobie
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunity
News Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
By Ross Kelly
-
The EU just shelved its AI liability directive
News The European Commission has scrapped plans to introduce the AI Liability Directive aimed at protecting consumers from harmful AI systems.
By Ross Kelly
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to know
News The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
By George Fitzmaurice
-
EU agrees amendments to Cyber Solidarity Act in bid to create ‘cyber shield’ for member states
News The EU’s Cyber Solidarity Act will provide new mechanisms for authorities to bolster union-wide security practices
By Emma Woollacott
-
The EU's 'long-arm' regulatory approach could create frosty US environment for European tech firms
Analysis US tech firms are throwing their toys out of the pram over the EU’s Digital Markets Act, but will this come back to bite European companies?
By Solomon Klappholz
-
EU AI Act risks collapse if consensus not reached, experts warn
Analysis Industry stakeholders have warned the EU AI Act could stifle innovation ahead of a crunch decision
By Ross Kelly
-
US-UK data bridge: Everything you need to know
News The US-UK data bridge will ease the complexity of transatlantic data transfers
By Ross Kelly