Cybersecurity & Business Resilience

Impact and implications for businesses navigating EU cybersecurity legislation

Discover how we defend today and secure tomorrow against cyber threats. Learn about the NIS and NIS2 Directive’s impact on EU cybersecurity legislation.

Following a large amount of work, the national legislation for the initial NIS Directive was signed in September 2018

The National Cyber Security Centre (NCSC) leads the national response to cyber risk. We defend today and seek to secure tomorrow.

Defending today involves responding to incidents, thwarting bad actors and building strong sustainable networks with colleagues and stakeholders nationally, regionally and globally. Securing tomorrow requires us to build and sustain better infrastructure with technologies supported by an internet that is secure, open and free for everyone to use.

EU cybersecurity legislation impact

Our most significant regional networks are those we build within and throughout the EU. As with other areas of our daily lives, the EU as a legislative body has issued numerous regulatory interventions relating to cybersecurity. Most notably, they issued the Network and Information System (NIS) Directive in 2016. This had a profound impact on the administration of cybersecurity throughout the EU.

Following a large amount of work, the national legislation for the initial NIS Directive was signed in September 2018. At the time of its introduction, the Operators of Essential Services (OES) were impacted by the NIS Directive within the State numbered 70.

NIS2 expands scope and mandates cybersecurity

In December 2022, that initial Directive was followed by what is known widely as NIS2. This contains measures for a high level of cybersecurity across the EU. Importantly, from the NCSC’s perspective, we have gone from being able to host all those impacted by the initial Directive in one room, to having thousands of entities come into scope.

Importantly, this includes any business classified as medium or above — that is any business with 50 or more employees or a turnover of €10 million. Even more importantly, all those within scope are expected to self-identify as such. Similarly, they are expected to have robust security measures in place, and responsibility for this rests with the entities’ boards.

Timely, clear NIS2 communication and registration

Within the NCSC, we are committing to:

•Ensure that our communications on the progression of national NIS2 legislation are timely and clear;

•Provide a single portal, which will enable entities to register as being in scope and report significant incidents, as required by the Directive;

•Setting clear cybersecurity measures arising from the Directive and assisting the federated national competent authorities in enforcing them.