¿Qué normativas EU cubre IgeraRegTech?

IgeraRegTech cubre las 5 principales normativas EU de 2024-2026: AI Act (Reglamento EU 2024/1689), DORA (Reglamento EU 2022/2554), CSRD (Directiva EU 2022/2464), NIS2 (Directiva EU 2022/2555) y CBAM (Reglamento EU 2023/956). Cada módulo RAG está entrenado con los textos normativos oficiales, actos delegados y guías técnicas de las autoridades supervisoras.

¿Cómo ayuda IgeraRegTech a evitar multas por incumplimiento?

IgeraRegTech permite a los equipos de compliance acceder a la normativa exacta con cita de artículo, evaluar el estado de cumplimiento actual mediante gap analysis automatizados, generar documentación y plantillas conformes a cada reglamento, y recibir alertas cuando se publican actualizaciones normativas. Esto reduce el riesgo de incumplimiento y las multas asociadas, que pueden alcanzar €35M en el caso del AI Act o el 2% de la facturación global en NIS2.

¿IgeraRegTech reemplaza al abogado o consultor de compliance?

No. IgeraRegTech es una herramienta de asistencia que multiplica la productividad de los equipos legales y de compliance. El sistema RAG cita el artículo exacto y genera borradores, pero la responsabilidad legal y la toma de decisiones finales siempre recae en el profesional cualificado. IgeraRegTech elimina las horas de búsqueda documental para que los expertos se centren en el análisis y la estrategia.

¿Cuál es la diferencia entre entidad esencial e importante en NIS2?

NIS2 distingue: Entidades esenciales (Anexo I): sectores de energía, transporte, banca, infraestructura financiera, salud, agua, infraestructura digital, servicios TIC, administración pública, espacio. Multa máx: €10M o 2% facturación global. Entidades importantes (Anexo II): servicios postales, residuos, química, alimentaria, fabricación. Multa máx: €7M o 1,4% facturación. Umbral de tamaño: >250 empleados O >€50M facturación.

¿Qué plazos de notificación exige NIS2 para incidentes?

El art. 23 NIS2 exige: (1) Alerta temprana en 24 horas desde conocimiento del incidente significativo: tipo de incidente, impacto potencial, medidas iniciales. (2) Notificación completa en 72 horas: análisis preliminar, gravedad, indicadores de compromiso, causa raíz si está disponible. (3) Informe final en 1 mes: causa raíz definitiva, impacto real, medidas correctoras implementadas y planificadas.

¿Qué dice el art. 20 NIS2 sobre la responsabilidad de los directivos?

El art. 20 NIS2 establece que los órganos de dirección deben: (1) aprobar las medidas de gestión de riesgos de ciberseguridad, (2) supervisar su aplicación, (3) recibir formación periódica en ciberseguridad. En caso de incumplimiento grave, las autoridades competentes pueden exigir la suspensión temporal del directivo responsable y prohibirle ejercer funciones directivas.

NIS2NIS2 — UK Post-Brexit · Dual Regime

NIS2 & the UK —
EU obligations still apply
to UK organisations

The UK left the EU before NIS2 was enacted — and chose not to adopt it. But UK organisations with EU operations, customers or infrastructure face full NIS2 obligations. This guide explains both regimes.

Jan 2025 UK NIS enforcement18 EU sectors covered£17M UK NIS max fineFull NIS2 for EU ops

Request free demo See how it works

UK NIS Regulations 2018 · EU NIS2 for EU ops · Cyber Security & Resilience Bill incoming

Jan 2025

UK NIS Regulations enforcement date

EU sectors covered by NIS2

£17M

Maximum UK NIS fine

Full

NIS2 for EU-facing operations

The dual-regime challenges for UK organisations

Brexit created a compliance split. UK organisations navigating both the UK NIS Regulations and EU NIS2 for their European operations face more complexity than those operating in a single jurisdiction.

Territorial scope confusion post-Brexit

UK organisations with EU branches, customers or infrastructure face full NIS2 obligations in those jurisdictions — even though NIS2 never applies in the UK itself. Many compliance teams do not realise this until they receive a request from an EU competent authority.

Two regimes running simultaneously

UK-based operations fall under UK NIS Regulations 2018, while EU-facing operations fall under NIS2. Managing two parallel frameworks with different timelines, thresholds and authorities creates real operational complexity.

EU subsidiary compliance independence

NIS2 treats EU subsidiaries as fully independent entities. UK parent governance policies, incident response procedures and supplier contracts do not automatically satisfy NIS2 requirements for an EU-registered entity.

NCSC CAF vs NIS2 Art. 21: the gap

Organisations following the NCSC Cyber Assessment Framework believe they are close to NIS2 compliant. The CAF covers most technical measures, but misses management liability documentation, 24-hour alerting and supply chain contract clauses.

Cyber Security and Resilience Bill uncertainty

The UK government has signalled it will update UK NIS via the Cyber Security and Resilience Bill. The direction of travel mirrors NIS2 but the final scope, thresholds and timelines are not yet confirmed, making long-term planning difficult.

Incident notification: 24h EU vs 72h UK

EU NIS2 requires a 24-hour early warning for significant incidents, followed by a full 72-hour report. UK NIS only requires 72 hours. Organisations operating across both jurisdictions need split incident response protocols.

Why NIS2 does not directly apply in the UK

The UK departed the EU in January 2020, before NIS2 (Directive EU 2022/2555) was enacted. The UK has its own Network and Information Systems (NIS) Regulations 2018, which transposed the original NIS1 Directive and remain in force. The government has consulted on updating UK NIS via the Cyber Security and Resilience Bill but has not adopted NIS2 wholesale. This means UK-incorporated entities with entirely domestic operations are not subject to NIS2 — but the UK NIS Regulations still impose analogous obligations across 7 essential service sectors and digital service providers.

The UK NIS Regulations 2018: what they require

The UK NIS Regulations cover operators of essential services (OES) in energy, transport, water, health, digital infrastructure, and digital service providers (DSPs) such as cloud providers, online marketplaces and online search engines. Requirements include: appropriate and proportionate security measures based on a risk assessment, incident reporting to relevant competent authorities (Ofgem for energy, CQC for health, CAA for aviation, ICO for digital services, etc.), and notification within 72 hours for significant incidents. Failure to comply can result in a maximum penalty of £17 million or 10% of global annual turnover, whichever is higher.

UK organisations operating in the EU: NIS2 applies

If a UK organisation provides services in EU member states, establishes a subsidiary or branch in an EU country, or operates infrastructure classified as essential in an EU jurisdiction, it falls within NIS2's territorial scope for those EU-facing operations. Practical examples include: UK banks with EU branches, UK logistics operators serving EU customers with physical infrastructure there, and UK cloud providers with EU data centres hosting services for EU-resident customers. In each case, the EU-facing entity or operation must comply with NIS2 fully and independently of whatever the UK parent does under UK NIS Regulations.

NIS2 vs UK NIS: key differences

The two regimes diverge in several material ways. Scope: NIS2 covers 18 sectors versus UK NIS's 7, meaning many UK organisations with EU operations are subject to NIS2 in sectors not covered by UK NIS at all (manufacturing, food, waste management, space). Management liability: NIS2 Art. 20 introduces explicit personal liability for board members and equivalent governing bodies, including the possibility of temporary suspension from management functions. UK NIS has no equivalent provision. Incident notification timelines: NIS2 requires a 24-hour early warning followed by a 72-hour full report; UK NIS only requires the 72-hour notification. Supply chain: NIS2 Art. 21.2(d) mandates written security clauses in ICT supplier contracts; UK NIS has no equivalent contractual requirement. Fines: NIS2 essential entity maximum is €10M or 2% of global revenue; UK NIS maximum is £17M or 10% of global revenue.

NCSC guidance and its relationship to NIS2

The National Cyber Security Centre (NCSC) publishes the Cyber Assessment Framework (CAF), which is the primary tool for assessing compliance with UK NIS Regulations for operators of essential services. The CAF's four objectives (Manage, Protect, Detect, Minimise) and 14 contributing outcomes overlap significantly with NIS2's Art. 21 measures. Organisations following the CAF will have addressed most NIS2 technical requirements. However, the CAF does not explicitly address three NIS2-specific obligations: management body personal liability documentation, the 24-hour early warning notification requirement, and written security clauses in ICT supplier contracts. A structured CAF-to-NIS2 gap analysis is recommended for any organisation with EU operations.

Preparing for UK cyber resilience legislation

The Cyber Security and Resilience Bill, introduced in the King's Speech 2024, proposes to expand the scope of UK NIS to cover more sectors (beyond the current 7), introduce stricter incident reporting timelines aligned with EU NIS2's 24-hour early warning, and create new mandatory reporting duties for supply chain incidents. The Bill is expected to reach Royal Assent in 2025-2026. UK organisations should monitor its progress closely — the direction of travel is clear convergence with NIS2 principles, even if the UK will not adopt NIS2 verbatim post-Brexit.

IgeraRegtech helps UK organisations navigate both regimes

IgeraRegtech's RAG is trained on both EU NIS2 (Directive EU 2022/2555) and UK NIS Regulations 2018, the NCSC Cyber Assessment Framework, and the proposed Cyber Security and Resilience Bill drafts. UK compliance and legal teams can query both frameworks simultaneously — asking about a specific obligation and getting answers that flag where UK NIS and NIS2 align, where they diverge, and what additional steps are needed. The system generates dual-compliance documentation for EU-facing operations and helps UK organisations prepare for the forthcoming UK legislative changes.

IgeraRegTech NIS2 UK in action

Trained on EU NIS2, UK NIS Regulations 2018, NCSC CAF and the Cyber Security and Resilience Bill. Answers that cite the exact article or CAF objective.

UK NIS vs EU NIS2 gap analyser

Side-by-side comparison of UK NIS Regulations 2018 and EU NIS2 requirements. Identifies what UK-compliant organisations still need to implement for their EU operations under Art. 21.

Dual-regime gap in < 1 day

EU subsidiary NIS2 classifier

Determines whether your EU-established subsidiary qualifies as an essential or important entity under NIS2 Annex I/II, and which EU member state competent authority it must register with.

Classification in < 10 min

NCSC CAF to NIS2 Art. 21 mapping

Complete mapping of CAF objectives (A1-D2) to the 10 NIS2 Art. 21 measures. Highlights where CAF compliance is sufficient and where NIS2 requires additional documentation or controls.

Full CAF-NIS2 mapping

Dual incident notification templates

Incident response templates covering both UK NIS (72h to relevant competent authority) and EU NIS2 (24h early warning + 72h full report). Adapt to the jurisdiction of the affected entity.

100% fields covered

EU subsidiary NIS2 compliance kit

Documentation templates for EU subsidiaries to register with national NIS2 authorities, implement Art. 21 measures and satisfy incident reporting requirements independently of UK parent policies.

Ready-to-file documentation

Cyber Resilience Bill tracker

Updated intelligence on the UK Cyber Security and Resilience Bill scope, proposed timelines and divergence points from EU NIS2. Know what is coming before it is enacted.

Live legislative tracking

Real questions, exact articles

How IgeraRegTech NIS2 UK answers using NIS2, UK NIS Regulations and the NCSC CAF as the source of truth

"We are a UK logistics company with a warehouse operation in Germany. Does NIS2 apply to our German entity?"

→

Yes. The German entity is established in an EU member state and, if it qualifies as an essential or important entity under NIS2 (e.g. road transport operator under Annex I or II), it is fully subject to NIS2 independently. It must: (1) register with the German NIS2 competent authority (BSI), (2) implement the 10 Art. 21 measures, (3) notify the BSI within 24 hours of a significant incident (early warning) and within 72 hours with a full technical report, (4) ensure supplier contracts include NIS2 security clauses. UK parent governance policies do not satisfy these obligations — the German entity must have its own NIS2 compliance programme.

"Our NCSC CAF assessment is current and rated as 'Achieved' across all objectives. What else do we need for EU NIS2?"

→

CAF 'Achieved' across all objectives covers the majority of NIS2 Art. 21 technical measures, but three specific NIS2 obligations are not addressed by the CAF: (1) Management liability under Art. 20 — NIS2 requires documented evidence that the board or equivalent has formally approved cybersecurity policies, received periodic training, and accepted personal liability for compliance. CAF does not mandate this governance paper trail. (2) The 24-hour early warning — NIS2 Art. 23.4(a) requires an early warning within 24 hours of detecting a significant incident, before the full 72-hour report. UK NIS and CAF only require 72 hours. (3) Supply chain contract clauses — Art. 21.2(d) NIS2 requires written security clauses in ICT supplier contracts. A gap analysis should document these three areas specifically.

"We are a UK bank with a regulated EU subsidiary. Which regulation applies — NIS2 or DORA?"

→

DORA (Regulation EU 2022/2554) applies as lex specialis. Art. 1.3 NIS2 explicitly provides that where entities are subject to sector-specific EU acts that contain equivalent or more stringent ICT risk management requirements, those acts prevail over NIS2 for those obligations. DORA, which entered into application on 17 January 2025, covers financial entities including banks, payment institutions and investment firms, and contains requirements equivalent to or exceeding NIS2. Your EU subsidiary must comply with DORA (through its EU financial regulator) and is thereby exempt from NIS2 for the same ICT risk management obligations. The UK entity itself remains subject to UK NIS Regulations and FCA operational resilience rules.

Frequently asked questions — NIS2 & the UK

Direct answers on NIS2 for UK organisations with EU operations

If we're a UK company with no EU operations, do we need to worry about NIS2?+

Not directly. NIS2 applies based on where services are provided to end users and where infrastructure operates, not where the company is incorporated. If your operations, customers and infrastructure are entirely UK-based, NIS2 does not apply. However, the UK's own NIS Regulations and the forthcoming Cyber Security and Resilience Bill impose similar obligations that you should be preparing for.

We have an EU subsidiary. Does it need to comply with NIS2 independently?+

Yes. An EU-established subsidiary is treated as a separate entity under NIS2. It must register with the national NIS2 competent authority in the member state where it is established, implement Art. 21 measures independently, and comply with incident notification requirements (24-hour early warning and 72-hour full report). UK parent company governance documentation, incident response procedures and supplier contracts do not automatically satisfy NIS2 requirements for the EU subsidiary.

Can we use our NCSC CAF compliance to demonstrate NIS2 compliance?+

The CAF covers much of NIS2 Art. 21 but is not a 1:1 mapping. CAF objectives B1-B6 (protect) and C1-C2 (detect/respond) align well with NIS2 technical measures. However, NIS2 adds specific requirements that the CAF does not explicitly address: management body personal liability documentation (Art. 20), the 24-hour incident early warning (Art. 23.4(a)), and written security clauses in ICT supplier contracts (Art. 21.2(d)). A structured gap analysis is recommended before claiming NIS2 compliance on the basis of CAF alone.

What is the 24-hour alert requirement under NIS2, and does UK NIS have this?+

NIS2 Art. 23.4(a) requires an early warning to the competent authority within 24 hours of detecting a significant incident — just indicating whether it appears malicious and if it could have cross-border impact. The full technical report follows within 72 hours. UK NIS currently only requires a 72-hour notification with no early warning stage. The Cyber Security and Resilience Bill is expected to introduce a similar 24-hour requirement, aligning with EU NIS2 in this respect.

We're a UK fintech with EU customers — which regulation takes precedence, NIS2 or DORA?+

For financial entities, DORA (Regulation EU 2022/2554) takes precedence over NIS2 for ICT risk management. Art. 1.3 NIS2 explicitly states that for entities subject to sector-specific EU acts containing equivalent security requirements (such as DORA), those acts prevail. DORA entered application on 17 January 2025 and covers banks, payment institutions, investment firms and other financial entities. Your EU-regulated operations must comply with DORA (which acts as lex specialis to NIS2). The UK entity itself remains subject to UK NIS Regulations and FCA operational resilience rules.

Talk to us about NIS2 and UK compliance

Tell us about your UK and EU operations and we will show you exactly where the two regimes overlap and where you have gaps to close.

NIS2 & the UK —EU obligations still applyto UK organisations