UK headquarters keep telling our consultants the same thing: "NIS2 is an EU problem, we're out of scope." Then we look at their group structure and find a Dublin subsidiary processing payment data for the rest of the group, a Frankfurt logistics arm running SCADA, or a Dutch managed service entity that hit the 50-employee threshold last year. The UK parent is suddenly responsible for an Essential Entity registration it didn't know existed.
The NIS2 Directive (EU 2022/2555) had to be transposed into national law by EU Member States by 17 October 2024. Most Member States missed that deadline — Germany, France, the Netherlands and others ran late through 2025 — but the obligations bite the moment national law goes live. For UK-headquartered groups with EU subsidiaries, the supervisory authority sits in the Member State where the subsidiary operates, not with the ICO or NCSC.
This catches British firms repeatedly. Here's what UK boards need to understand before their EU regulator sends the first information request.
What NIS2 actually is — and what changed from NIS1
The original NIS Directive (2016) covered Operators of Essential Services and Digital Service Providers across seven sectors. Identification was largely done by Member State authorities, scope was patchy, and enforcement varied wildly. The UK transposed it as the NIS Regulations 2018, which still apply to UK entities.
The NIS2 vs NIS comparison is not incremental — it is a redrawn perimeter:
- Eighteen sectors instead of seven, split into "Essential Entities" (Annex I — energy, transport, banking, health, drinking water, digital infrastructure, ICT service management, public administration, space) and "Important Entities" (Annex II — postal, waste, chemicals, food, manufacturing of critical products, digital providers, research).
- Size-cap rule: medium-sized (50+ staff or €10m+ turnover) and large entities in scope automatically. No more Member State discretion to leave you out.
- Direct management liability: Article 20 makes management bodies personally responsible for approving and overseeing cybersecurity risk management measures. They can be held liable for breaches of those duties.
- 24-hour early warning, 72-hour incident notification, one-month final report (Article 23).
- Fines: up to €10m or 2% of global annual turnover for Essential Entities; €7m or 1.4% for Important Entities.
Why UK firms with EU exposure are walking into this blind
Three patterns keep appearing in our advisory work.
The "EU subsidiary is small" assumption. Group cybersecurity policy sits with the UK CISO, who quite reasonably benchmarks against UK NIS Regulations 2018 and Cyber Essentials. The EU subsidiary has 60 staff and a €15m turnover — it is an Important Entity in its own right, and its management body has personal duties under Article 20 that cannot be delegated to London.
The "we sell into the EU, so we must be in scope" panic. Selling products into the EU does not, by itself, pull a UK entity into NIS2. The directive captures entities established in the EU, with specific extraterritorial rules for digital infrastructure, DNS, cloud, data centre, content delivery and managed service providers under Article 26. Get the establishment question right before you spend money.
The "ICO will tell us" mistake. The ICO, NCSC and FCA do not enforce NIS2. Your supervisory authority is the competent authority in the Member State where the EU entity is established — BSI in Germany, ANSSI in France, the National Cyber Security Centre in Ireland, RDI in the Netherlands. Each runs its own registration portal, deadlines and reporting templates.
The cybersecurity risk management measures Article 21 demands
Article 21 lists ten minimum measures every in-scope entity must implement. They are not optional and they are not aspirational:
- Risk analysis and information system security policies
- Incident handling
- Business continuity, backup management and crisis management
- Supply chain security — including direct supplier relationships
- Security in acquisition, development and maintenance of network and information systems
- Policies to assess the effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies on cryptography and encryption
- Human resources security, access control and asset management
- Multi-factor authentication, secured voice/video/text communications, and secured emergency communications
Mapping these to ISO/IEC 27001:2022 controls covers most of the ground, but supply chain (Article 21(2)(d)) and management oversight (Article 20) are where ISO-certified firms still fail their first NIS2 inspection.
What to do this quarter
Confirm scope per legal entity, not per group. Pull a list of every EU-established subsidiary. For each, apply the Annex I/II sector test, then the size-cap test. Document the conclusion in writing — Member State authorities expect to see a defensible scoping memo.
Register where required. Most Member States require Essential and Important Entities to register on a national portal. Deadlines vary — Ireland's NCSC opened registration in 2025, Germany's BSI portal is live. Miss the registration and the fines start before the security work does.
Brief the EU subsidiary's management body. Article 20 training for directors is not a tick-box. The board of the EU entity needs documented training on cybersecurity risk management measures, and the minutes need to show they approved them.
Fix supply chain due diligence. Vendor questionnaires designed for UK GDPR will not satisfy Article 21(2)(d). You need direct supplier risk assessments, contractual security clauses, and evidence of ongoing monitoring.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), with £5M professional indemnity cover. Our consultants run NIS2 scoping assessments for UK-headquartered groups with EU subsidiaries, build the Article 21 control set against ISO 27001:2022, and prepare boards for Article 20 oversight duties.
Where clients need ongoing cap