Giovanni Piccirillo
January 22, 2026
34 min read
Cybersecurity today represents one of the fundamental pillars of the digital sovereignty of states and supranational organizations, becoming an essential element for safeguarding national security, economic stability, the protection of critical infrastructure and fundamental rights. The intensification of cyber attacks, the growing sophistication of cyber threats, the proliferation of hostile state and non-state actors in cyberspace, and the critical dependence of contemporary societies on digital technologies have made it imperative to adopt robust, comprehensive regulatory frameworks capable of dynamically adapting to the evolving threat landscape.
The European Union responded to these challenges with the adoption of Directive (EU) 2022/2555, known as the Network and Information Security 2 (NIS2) Directive, which replaces and significantly expands the previous regime established by Directive (EU) 2016/1148. NIS2 is part of a complex and layered regulatory ecosystem, including the General Data Protection Regulation (GDPR), the Cybersecurity Act, the Critical Entities Resilience Directive (CER), the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act, establishing a cybersecurity governance model based on ex ante obligations, transnational cooperation, risk management, and operator accountability.
The United Kingdom, for its part, has embarked on its own cybersecurity regulation journey since Brexit, culminating in the proposed Cyber Security and Resilience Bill, currently under parliamentary debate. This regulatory proposal reflects the UK's ambition to maintain high cybersecurity standards while asserting regulatory autonomy from the European Union. It is part of a context characterized by the need to ensure business continuity for businesses operating in both jurisdictions, maintain security cooperation with EU member states, and attract investment through the creation of a clear, proportionate, and predictable regulatory environment.
This paper aims to provide a comparative and systematic analysis of the two regulatory frameworks, highlighting their structural similarities, application differences, implications for cross-border economic operators, and interpretative challenges that characterize both regimes. The analysis is based on a methodological approach that emphasizes the examination of primary regulatory sources, a systematic interpretation of the provisions, consideration of the relevant political and strategic context, and attention to the practical implications for obliged entities.
Directive (EU) 2022/2555 of 14 December 2022, concerning measures for a high common level of cybersecurity across the Union, repeals and replaces the previous NIS Directive of 2016, introducing substantial changes that significantly broaden its scope, strengthen the obligations of addressees, and enhance enforcement and transnational cooperation mechanisms. NIS2 aims to address the gaps and critical issues that emerged in the application of the previous regime, particularly the fragmentation of national approaches, insufficient sectoral coverage, weak sanctioning mechanisms, and limited cooperation between competent authorities.
The Directive is based on three fundamental pillars:
NIS2 introduces a fundamental distinction between "essential subjects" and "important subjects", a classification that determines the applicable legal regime in terms of the intensity of supervision, severity of sanctions, and procedural requirements. Essential Entities include operators providing critical services for the maintenance of essential social and economic activities, while Important Entities include operators whose interruption of services could have a significant but not critical impact. This distinction is based on size (number of employees, turnover, total balance sheet) and sectoral criteria, with the application of the "size-capping rule" principle, which excludes micro and small enterprises from the scope of application, unless they play a critical role in highly sensitive sectors.
The sectors covered by NIS2 have been significantly expanded compared to the previous regime and include: energy (electricity, district heating, oil, gas, hydrogen); transport (air, rail, water, road); banking, financial market infrastructure; healthcare; drinking water and wastewater; digital infrastructure (internet exchange points, DNS service providers, top-level domain name registries, cloud computing providers, data center service providers, content distribution network providers, trust service providers, providers of publicly available electronic communications services, electronic messaging service providers); ICT services (business-to-business); public administration; space; production, manufacturing, and distribution of chemicals; production, processing, and distribution of food products; manufacture of medical devices, in vitro diagnostic medical devices, computer, electronic, and optical products, electrical equipment, machinery and equipment n.e.c., motor vehicles, trailers, and semi-trailers, and other means of transport; Digital service providers (online marketplaces, online search engines, social networking platforms); research organizations; waste management; chemical manufacturing.
The substantive obligations imposed by NIS2 are divided into several categories. First, obligated parties must adopt appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of the IT and network systems they use in their operations or in the provision of their services, and to prevent or minimize the impact of security incidents. These measures must be based on a multi-risk approach that takes into account all risks, including hybrid threats and supply chain vulnerabilities. These measures include risk analysis and IT security policies; incident management; business continuity (backup management, disaster recovery, crisis management); supply chain security; security in the acquisition, development, and maintenance of IT and network systems; policies and procedures for evaluating the effectiveness of cybersecurity risk management measures; basic cyber hygiene practices and cybersecurity training; policies and procedures regarding the use of encryption and encryption; human resource security, access control, and resource management; use of multi-factor or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems.
Second, obliged entities must have adequate governance structures in place, assigning the management body responsibility for overseeing the implementation of cybersecurity risk management measures, approving relevant policies, and providing specific training on the subject. This requirement for management body involvement represents a significant change compared to the previous regime and reflects the awareness that cybersecurity is not a merely technical issue, but rather affects the overall corporate strategy and requires oversight at the highest decision-making levels.
Third, NIS2 imposes stringent reporting obligations for significant incidents. Obliged entities must notify the CSIRT or the Competent Authority without undue delay of any incident that significantly impacts the provision of their services. Notification must occur in three phases: an initial pre-alert within 24 hours of becoming aware of the incident; a full notification within 72 hours; and a final report within one month, with interim updates if necessary. Failure to notify or late notification may result in particularly severe administrative fines.
NIS2 does not operate in isolation, but is part of a complex and layered regulatory ecosystem, characterized by the coexistence of multiple sectoral and horizontal regimes that govern different yet interconnected aspects of digital security, data protection, operational resilience, and cybersecurity certification. The correct interpretation and application of NIS2 therefore requires a systematic analysis of its interactions with other European regulatory instruments, in order to avoid overlaps, contradictions, and duplicative burdens for economic operators.
The relationship between NIS2 and Regulation (EU) 2016/679 (GDPR) is particularly important, as both instruments impose obligations that may partially overlap, particularly with regard to personal data security and breach notification. The GDPR requires data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and to notify the supervisory authority of personal data breaches within 72 hours of becoming aware of them, as well as to communicate such breaches to data subjects in cases where the breach results in a high risk to the rights and freedoms of natural persons.
NIS2 contains specific provisions aimed at ensuring consistency with the GDPR, requiring that cybersecurity risk management measures comply with personal data protection obligations and that reporting incidents under NIS2 is without prejudice to personal data breach notification obligations under the GDPR. However, there remain areas of uncertainty regarding interpretation, particularly regarding notification deadlines (24/72 hours for NIS2, 72 hours for the GDPR), the recipients of the notification (CSIRT/NIS Competent Authority for NIS2, data protection supervisory authority for the GDPR), and the content of the information to be communicated.
Regulation (EU) 2019/881, known as the Cybersecurity Act, establishes a European framework for the cybersecurity certification of ICT products, services, and processes, with the aim of increasing transparency, facilitating mutual recognition between Member States, and reducing compliance costs for businesses. The Cybersecurity Act assigns the European Union Agency for Cybersecurity (ENISA) a central role in defining European certification schemes, which can be adopted on a voluntary basis or made mandatory through sector-specific legislation. NIS2 expressly provides that obliged entities can demonstrate compliance with risk management obligations by obtaining certifications issued under the Cybersecurity Act, thus establishing a functional link between the two regimes and encouraging the adoption of harmonized standards.
Directive (EU) 2022/2557 on the resilience of critical entities (CER), adopted simultaneously with NIS2, focuses on the physical and organizational resilience of entities providing essential services, imposing obligations to assess risks, adopt resilience measures, and notify incidents affecting the provision of essential services. The CER and NIS2 have a partially overlapping scope, as many Essential Entities under NIS2 are also critical entities under the CER. The two directives were designed to complement each other, with the CER focusing on physical resilience (protection of infrastructure against physical threats, natural events, and pandemics) and NIS2 focusing on cyber resilience. However, the coexistence of the two regimes can create operational complexity for entities falling within both scopes, which must comply with parallel obligations and interface with different competent authorities.
Regulation (EU) 2022/2554 on Digital Operational Resilience in the Financial Sector (DORA) introduces a specific and detailed regime for financial institutions, imposing obligations regarding ICT risk management, incident reporting, resilience testing, third-party ICT risk management, and information sharing. DORA expressly provides that its provisions prevail over those of NIS2 for financial institutions falling within its scope, applying the principle of lex specialis. This means that banks, insurance companies, investment firms, and other entities regulated by DORA are exempt from the obligations of NIS2, subject to specific exceptions. This prevailing regime aims to avoid duplication and ensure a consistent regulatory framework for the financial sector, but requires careful analysis by operators to determine which regime is applicable and which obligations must be met.
The Cyber Resilience Act, proposed by the European Commission in September 2022 and currently in the final adoption phase, introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market, imposing obligations on manufacturers to ensure security by design, manage vulnerabilities, provide security updates, and notify actively exploited vulnerabilities and security incidents. The Cyber Resilience Act applies to products, while NIS2 applies to services and the activities of economic operators. However, there are many overlaps, as many entities required by NIS2 use products with digital elements and may also be manufacturers of such products. Compliance will therefore require an integrated approach that takes both regimes into account.
The application of NIS2 raises numerous interpretative questions and operational challenges, stemming from the complexity of the regulatory framework, the breadth of its scope, the need for coordination with other legal regimes, and the rapid evolution of technology and the threat landscape. These challenges are particularly relevant for economic operators, who must determine whether they fall within the scope of the directive, what obligations they must fulfill, and how to ensure compliance effectively and efficiently.
A first critical area concerns determining the applicability of the directive. NIS2 applies to public and private entities listed in Annex I (Essential Entities) and Annex II (Important Entities), provided they meet certain size criteria. The basic criterion is that of medium-sized enterprises, defined as enterprises that employ at least 50 people and have an annual turnover or annual balance sheet total not exceeding €50 million. Large enterprises are also included, regardless of sector. However, the directive provides for numerous exceptions and specifications. First, Member States may decide to apply the directive to micro and small enterprises if they are the sole providers of a service in a Member State or if the interruption of service could have a significant impact. Second, for certain particularly critical sectors (such as providers of public electronic communications networks, domain name system services, top-level domain name registries, cloud computing service providers, data center service providers, content distribution networks, qualified trust service providers, and postal service providers), the Directive applies regardless of size. Third, certain categories of entities are expressly excluded, such as entities engaged in defense or national security activities.
Determining whether a business is classified as "essential" or "important" is crucial, as it determines the applicable supervision and sanctioning regime. Essential businesses are subject to ex-ante supervision, with the possibility of on-site inspections and periodic audits, and are subject to administrative fines of up to at least €10 million or 2% of the total annual worldwide turnover of the preceding financial year, whichever is higher. Important businesses are subject to ex-post supervision, based on evidence or complaints, and are subject to fines of up to at least €7 million or 1.4% of the total annual worldwide turnover. This distinction requires careful analysis by operators to determine their classification, taking into account their sector of activity, company size, role in the supply chain, and national implementation specificities.
A second critical area concerns the interpretation of risk management obligations. Article 21 of NIS2 requires risk management measures to be "adequate and proportionate" to the risks posed, but does not provide precise parameters for determining what constitutes an adequate level of security. The directive lists a series of minimum measures (risk analysis policies, incident management, business continuity, supply chain security, etc.), but leaves operators with discretion in their implementation. This discretion allows for the need to adapt measures to the specificities of each operational context, but it creates legal uncertainty regarding the criteria competent authorities will use to assess compliance. In particular, the question remains whether the adoption of recognized technical standards (such as ISO/IEC 27001, ISO/IEC 27002, and the NIST Cybersecurity Framework) is sufficient to demonstrate compliance, or whether authorities can require additional measures based on sectoral specificities or national risk assessments.
A third critical area concerns incident reporting requirements. NIS2 requires the reporting of "significant" incidents, but the definition of significance is complex and requires a multifactorial assessment. An incident is considered significant if it has caused or is likely to cause serious operational disruption to services or financial losses for the affected party; it has had or is likely to have an impact on other natural or legal persons, resulting in significant material or non-material losses. The assessment of significance must take into account numerous parameters, including the number of users affected, the duration of the incident, its geographical scope, the degree of disruption to service operations, the extent of the impact on economic and social activities, and other criteria specified in the implementing acts adopted by the Commission. This assessment must be carried out within a very short timeframe (within 24 hours for pre-alarm), in conditions of uncertainty regarding the nature and extent of the incident, and carries the risk of sanctions both in the event of omitted or late notification, and in the event of unnecessary notification that diverts resources from the competent authorities.
A fourth critical area concerns supply chain risk management. Article 21(2)(e) expressly requires that risk management measures include "policies and procedures relating to supply chain security, including security aspects relating to the relationship between each entity and its direct suppliers or service providers." This provision requires obliged entities to extend risk assessment and management to their suppliers, including cloud service providers, software vendors, hardware suppliers, and managed service providers. However, the Directive does not specify which specific measures must be adopted, which contractual clauses must be included in relationships with suppliers, which checks must be performed, or what level of due diligence is required. Furthermore, uncertainties remain regarding the ability of obliged entities to delegate some of their responsibilities to suppliers and the consequences of an incident resulting from vulnerabilities or compromises in the supply chain.
A fifth critical area concerns the liability of the management body. Article 20 of NIS2 expressly requires members of the obliged entity's management body to approve risk management measures, supervise their implementation, and undergo specific training. Member States must also adopt measures to ensure that members of the management body can be held accountable for breaches of risk management obligations. This provision introduces a form of personal liability for directors, which could take the form of administrative, civil, or, in extreme cases, criminal liability, depending on national implementation decisions. However, uncertainties remain regarding the criteria for attributing liability (strict liability, fault-based liability, joint and several liability), the distribution of liability among the various members of the management body, and the possibilities for exemption or mitigation of liability through the adoption of organizational models, the use of specialized consultants, or the attainment of certifications.
The NIS2 Directive was due to be transposed into Member States' national laws by October 17, 2024. This deadline, particularly stringent given the complexity of the subject matter and the breadth of the changes required compared to the previous regime, presented Member States with significant legislative, organizational, and technical challenges. As of January 2025, the transposition situation presented a heterogeneous picture, characterized by widespread delays, divergent approaches, and varying degrees of implementation completeness.
To date, only a minority of Member States have fully completed the transposition process, adopting the necessary legislative amendments, identifying competent authorities, establishing national CSIRTs, defining supervisory and enforcement procedures, and publishing operational guidelines for obliged entities. Among the states that have completed or are at an advanced stage of transposition are Belgium, France, Germany, the Netherlands, and Denmark, which have adopted different approaches but are substantially compliant with the directive's provisions.
Germany adopted the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) in July 2024, significantly amending the Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG). The German law identifies the Bundesamt für Sicherheit in der Informationstechnik (BSI) as the central Competent Authority, granting it supervisory, inspection, and sanctioning powers, and provides for the establishment of sectoral authorities for specific areas (energy, transport, healthcare). The German transposition is characterized by a particularly rigorous approach, extending the obligations to entities smaller than the minimum size required by the directive when they play a particularly critical role, and introducing particularly severe penalties, up to 2% of global turnover for Essential Entities.
France adopted Ordinance No. 2024-560 of 19 June 2024 on the transposition of Directive (EU) 2022/2555, which amends the Postal and Electronic Communications Code and other sectoral legislation. The French transposition assigns the National Information Systems Security Agency (ANSSI) the role of central Competent Authority, confirming the centralized model already adopted for NIS1, and provides for a differentiated supervisory system based on the classification of entities as "essential" or "important." France has also adopted a broad approach to identifying obliged entities, including certain categories of digital service providers and critical infrastructure operators that may not fall strictly within the minimum scope of the directive.
The Netherlands has adopted the Wet tot wijziging van de Wet beveiliging netwerk- en informatiesystemen in verband met de implementatie van Richtlijn (EU) 2022/2555, which amends the previous law transposing NIS1. The Dutch transposition is characterized by strong private sector involvement in defining technical standards and operational procedures, through collaboration between public authorities, trade associations, and standardization bodies. The Netherlands has also established a system of sectoral Information Sharing and Analysis Centres (ISACs), which facilitate the sharing of threat information and best practices among operators in the same sector.
Italy is at an advanced stage of transposition, having adopted Legislative Decree No. 138 of 4 November 2024, implementing Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148. The Italian decree identifies the National Cybersecurity Agency (ACN) as the central competent NIS authority, assigning it coordination, supervision, and enforcement functions, and provides for the establishment of sectoral authorities responsible for specific areas (IVASS for the insurance sector, Bank of Italy for the banking sector, AGCOM for electronic communications, etc.). The Italian transposition is characterized by its integration with the national regulatory framework regarding the national cybersecurity perimeter, governed by Legislative Decree no. 105 of 21 September 2019, and by the adoption of a coordinated approach aimed at avoiding duplication and overlap between the different regimes.
Spain published a Royal Decree for the transposition of NIS2 in September 2024, establishing the National Cryptographic Center (CCN) and the National Cybersecurity Institute (INCIBE) as competent authorities, with a division of responsibilities based on the public or private nature of the obliged entities. The Spanish transposition also provides for a strengthened role for the National Cybersecurity Council, an inter-ministerial strategic coordination body.
However, several Member States are experiencing significant delays in transposition, resulting in infringement proceedings by the European Commission. This delay is due to multiple factors, including the technical complexity of the matter, the need for coordination between multiple sectoral administrations, political difficulties in approving new legislation, and, in some cases, uncertainty regarding the interpretation of certain provisions of the directive. The European Commission has initiated infringement proceedings against several Member States that:They failed to notify the transposition measures within the prescribed deadline, and threatened to bring the matter before the Court of Justice of the European Union in the most serious cases of non-compliance.
The heterogeneity of national transposition approaches raises concerns about the risk of fragmentation of the internal market and unequal treatment of operators carrying out similar activities in different Member States. Although NIS2 aims to ensure a high common level of cybersecurity through the harmonization of obligations and procedures, its nature as a directive (rather than a directly applicable regulation) leaves Member States with a margin of discretion in implementation, which can result in significant divergences. These divergences concern, in particular, the criteria for identifying obliged entities, the interpretation of size thresholds, the definition of notification procedures, the level of penalties, the powers of competent authorities, and the modalities of cooperation between national authorities.
Having left the European Union on January 31, 2020, and having completed the transition period on December 31, 2020, the United Kingdom is not bound by the NIS2 Directive and has undertaken its own cybersecurity regulation process. However, the British context remains influenced by European regulatory developments, both for reasons of historical continuity (the UK transposed the NIS1 Directive through the Network and Information Systems Regulations 2018), the need to ensure interoperability and cooperation on security with EU member states, and the need to maintain high standards that facilitate access to the European market for British companies.
The Cyber Security and Resilience Bill, introduced to the UK Parliament in November 2024 and currently undergoing parliamentary scrutiny, represents the UK's most significant legislative initiative regarding cybersecurity post-Brexit. The Bill aims to modernize and strengthen the UK regulatory framework, broadening its scope, introducing more stringent obligations for digital service providers and operators of critical infrastructure, and strengthening the powers of the competent authorities in terms of supervision, enforcement, and international cooperation.
The Bill is structured around four fundamental pillars. The first pillar concerns the identification of obligated entities, which includes digital service providers (cloud computing, data centers, content delivery networks, managed service providers), critical infrastructure operators (energy, transport, water, healthcare, communications), providers of services essential to national security, and certain categories of supply chain suppliers. The classification of entities is based on functional rather than size-related criticality criteria, which significantly differentiates the British approach from the European one.
The second pillar concerns the substantive obligations imposed on obliged entities. The Bill requires the adoption of appropriate cyber risk management measures, based on a risk-based approach and proportionate to the nature, scale, and complexity of the activities performed. These measures must include periodic risk assessments, the implementation of technical and organizational controls, vulnerability management, supply chain protection, business continuity, and disaster recovery. Unlike NIS2, which provides a detailed list of minimum measures, the Bill adopts a more flexible and principles-based approach, allowing operators greater discretion in identifying appropriate measures.
The third pillar concerns incident reporting obligations. The Bill requires timely notification to the National Cyber Security Centre (NCSC) of significant security incidents, defined by their actual or potential impact on service provision, national security, or users. The reporting timelines are more flexible than those in NIS2, requiring notification "as soon as reasonably practicable" and allowing for a graduated approach based on the severity of the incident. This flexibility reflects the UK legal tradition of favoring principles-based standards rather than rigid rules, but it entails a greater degree of uncertainty regarding the exact obligations.
The fourth pillar concerns the powers of the competent authorities. The Bill grants the National Cyber Security Centre, part of the Government Communications Headquarters (GCHQ), oversight, guidance, technical support, and incident response coordination functions. The NCSC can issue binding directives, conduct inspections, request information and documentation, and impose corrective measures. In particularly serious cases, the Secretary of State can exercise emergency powers, including the ability to order the disconnection of compromised systems or the temporary cessation of activities that pose unacceptable risks. These powers are broader than those provided for by NIS2, but are subject to procedural safeguards and judicial review.
The sanctions regime under the Bill differs significantly from that of NIS2. While NIS2 provides for particularly high administrative fines (up to 2% of global turnover for Essential Entities), the UK Bill adopts a more graduated approach, prioritizing corrective measures, notice of enforcement, and, in the most serious cases, fines determined on a case-by-case basis based on the severity of the violation, the damage caused, the degree of fault, and the size of the operator. The maximum fine is set at £10 million or 2% of global turnover, whichever is higher, for the most serious violations. However, the Bill also provides for the possibility of criminal liability for senior managers in the event of particularly serious violations committed with intent or gross negligence, thus establishing a more stringent regime for natural persons than the European one.
The Bill also introduces a specific regime for cloud computing service providers, who must adopt additional security, transparency, and data portability measures and are subject to enhanced obligations to cooperate with the competent authorities. This regime reflects UK concerns about the concentration of the cloud computing market in the hands of a few large, predominantly US, operators and aims to ensure that these operators meet high security standards and are subject to effective supervision.
A comparative analysis of the NIS2 Directive and the UK Cyber Security and Resilience Bill reveals a framework characterized by substantial convergences in terms of objectives and fundamental principles, but also by significant divergences in methodological approaches, regulatory techniques, applicability criteria, and enforcement mechanisms. These convergences and divergences reflect not only different technical choices, but also constitutional, cultural, and strategic differences between the European and British regulatory models.
In terms of convergence, both regulatory frameworks share the objective of raising the level of cybersecurity by imposing ex ante obligations on operators of essential and critical services, strengthening the resilience of digital infrastructures, improving the ability to detect, respond to, and recover from incidents, and promoting cooperation between the public and private sectors and between different jurisdictions. Both frameworks adopt a risk-based approach, requiring operators to assess the specific risks to which they are exposed and take proportionate measures to mitigate them. Both require notification of significant incidents, the adoption of risk management measures, business continuity measures, and supply chain security. Both grant competent authorities supervisory, inspection, and sanctioning powers, and provide for international cooperation mechanisms.
However, significant differences emerge. One initial divergence concerns the subjective scope of application. NIS2 adopts a mixed approach, based on a combination of sectoral and size criteria (size-capping rule), with the automatic inclusion of medium-sized and large companies operating in the sectors listed in Annexes I and II. The UK Bill, in contrast, adopts a functional criticality-based approach, ignoring company size and focusing on the potential impact of service disruption on national security, the economy, or society. This difference means that a medium-sized company operating in a sector covered by NIS2 will automatically be subject to the Directive's obligations if it operates in the EU, but may not be subject to the UK Bill if it operates in the UK, unless it is identified as a provider of a critical service.
A second divergence concerns the regulatory approach adopted. NIS2 provides a detailed and prescriptive list of minimum risk management measures that obliged entities must adopt (Article 21, paragraph 2), specifically specifying the categories of measures required (risk analysis policies, incident management, business continuity, supply chain security, acquisition and development security, effectiveness evaluation policies, cyber hygiene, encryption, human resources, access control, multi-factor authentication, secure communications). The UK Bill, on the other hand, adopts a principles-based approach, requiring operators to adopt "appropriate measures" without specifying in detail what these measures should be, leaving it up to operators and competent authorities to determine the appropriate measures based on the specific context. This difference reflects different legal traditions: continental European law favors detailed and prescriptive rules, while British common law favors general and flexible standards, interpreted and applied on a case-by-case basis.
A third divergence concerns incident reporting obligations. NIS2 provides a reporting regime divided into three strict timeframes (early warning within 24 hours, full notification within 72 hours, and final reporting within one month), with detailed information requirements specified by the Directive and implementing acts. The UK Bill provides for a reporting requirement "as soon as reasonably practicable," without specifying rigid deadlines, and allows for a more flexible and graduated approach based on the severity of the incident and the availability of information. This flexibility is appreciated by operators, who complain about the difficulty of meeting the particularly stringent deadlines set by NIS2 in emergency situations and when the nature and extent of the incident are uncertain, but it leads to greater legal uncertainty and potential divergence in practical implementation.
A fourth divergence concerns governance and the distribution of responsibilities. NIS2 envisages a multilevel governance model, with National competent Authorities operating under the coordination of the Cooperation Group and the CSIRTs network at the European level, and with the possibility of designating sectoral authorities at the national level. The UK Bill adopts a more centralized model, with the NCSC assuming a predominant coordination, supervision, and support role, complemented by sectoral authorities for specific areas (such as Ofcom for electronic communications). The UK's choice reflects the UK's smaller geographical size and tradition of centralizing national security functions, while the European model reflects the need to coordinate 27 member states with different institutional systems and legal traditions.
A fifth divergence concerns the sanctions regime. NIS2 provides for particularly high administrative fines, up to €10 million or 2% of global turnover for Essential Entities, and up to €7 million or 1.4% of global turnover for Important Entities, applied by the competent authorities through administrative procedures. The UK Bill provides for a more graduated approach, with priority given to corrective measures and notice of enforcement, and with fines determined on a case-by-case basis, up to a maximum of £10 million or 2% of global turnover. However, the Bill introduces the possibility of criminal liability for senior managers, which is not provided for by NIS2, thus creating a potentially more severe regime for natural persons.
A sixth divergence concerns the relationship with other regulatory regimes. NIS2 is part of a complex European regulatory ecosystem, characterized by the coexistence of multiple regulations and directives (GDPR, Cybersecurity Act, CER, DORA, Cyber Resilience Act) that must be interpreted and applied in a consistent and coordinated manner. The UK Bill operates in a more simplified regulatory environment, with fewer overlapping regulatory instruments, which facilitates interpretation and application but also results in a lower level of detail and specification in some respects.
The analysis of the European and UK cybersecurity regulatory frameworks raises numerous legal, strategic, and operational considerations, particularly relevant for companies operating in cross-border contexts, global digital service providers, critical infrastructure operators, and cyber compliance and risk management professionals.
A first consideration concerns the need for an integrated and harmonized approach to regulatory compliance. Companies operating in both the European Union and the United Kingdom face two distinct regulatory regimes, characterized by substantial convergence but also significant divergences in their application. The optimal strategy would be to adopt an approach that simultaneously meets the requirements of both regimes, identifying the "highest common denominator" of obligations and implementing measures that, if necessary, go beyond the minimum requirements of each jurisdiction. This approach would avoid duplication, simplify compliance processes, and reduce overall costs, but requires a thorough understanding of both regulatory frameworks and their interactions.
A second consideration concerns supply chain risk management. Both regulatory frameworks recognize that an organization's security depends not only on its own internal measures, but also on the security of its suppliers, particularly cloud service providers, software vendors, hardware suppliers, and managed service providers. Companies must therefore implement vendor risk management processes that include pre-contractual due diligence, the inclusion of appropriate contractual security clauses, periodic supplier compliance reviews, and the development of contingency plans in the event of a supply chain compromise. This management becomes particularly complex in the context of global and multinational supply chains, which may involve suppliers subject to different jurisdictions and heterogeneous regulatory regimes.
A third consideration concerns cybersecurity governance and the role of the management body. NIS2 explicitly establishes the management body's responsibility for overseeing cyber risk management measures, imposing approval, supervision, and training requirements. The UK Bill, while not containing similar explicit provisions, introduces the possibility of criminal liability for senior managers in the event of serious breaches. These provisions mark a paradigm shift from the past, in which cybersecurity was perceived primarily as a technical matter under the purview of Chief Information Security Officers (CISOs) and IT teams. Companies must therefore restructure their governance models, ensuring that the management body is adequately informed about cyber risks, actively participates in defining risk management strategies, approves relevant policies, and has mechanisms for periodic reporting on the effectiveness of the measures adopted. This restructuring also requires the development of specific training programs for directors and the revision of directors' liability insurance policies (D&O insurance) to ensure adequate coverage for cyber risks.
A fourth consideration concerns incident management and reporting procedures. Companies must develop detailed incident response plans that define roles and responsibilities, escalation procedures, criteria for assessing incident significance, methods for collecting and preserving evidence, internal and external communication procedures, and recovery mechanisms. Particular attention must be paid to managing multiple notifications when an incident triggers notification obligations under multiple regulatory regimes (NIS2, GDPR, DORA for the financial sector, national sector regulations, the UK Bill). Companies must also consider the communication and reputational implications of incident reporting, which can lead to media exposure, loss of customer trust, impact on financial markets, and potential legal action from injured third parties.
A fifth consideration concerns cooperation with competent authorities. Both regulatory frameworks grant competent authorities significant powers to request information, conduct on-site inspections, access systems and networks, and impose corrective measures. Companies must establish internal procedures to manage interactions with authorities, designating contact points, defining protocols for responding to requests, ensuring the confidentiality of sensitive information, and ensuring compliance with required deadlines and procedures. Particular attention must be paid to managing on-site inspections, which may involve access to systems, networks, premises, and documentation, and which require balancing the obligation to cooperate with the protection of commercial confidentiality, intellectual property, and third-party rights.
A sixth consideration concerns cross-border implications and international cooperation mechanisms. Companies operating in multinational contexts must contend with the complexity arising from the coexistence of multiple national regulatory regimes and the need to ensure simultaneous compliance with potentially divergent obligations. NIS2 provides for cooperation mechanisms between Member State competent authorities through the Cooperation Group and the CSIRTs network, which facilitate the exchange of information, coordinate responses to cross-border incidents, and resolve interpretative issues. However, post-Brexit cooperation between European and UK authorities is less structured and depends on bilateral agreements, reciprocity mechanisms, and the goodwill of the parties. Companies should therefore adopt a proactive approach, maintaining open channels of communication with competent authorities in all relevant jurisdictions and participating in sector-specific information-sharing initiatives that facilitate the sharing of best practices and threat intelligence.
A seventh consideration concerns cyber insurance strategies. The rise in cyber risks and the potential for damages resulting from cyber incidents have made cyber insurance an increasingly important tool for risk transfer. However, the cyber insurance market is rapidly evolving, characterized by significant premium increases, coverage restrictions, increasingly broad exclusions (particularly for state-sponsored attacks, cyber warfare, and ransomware), and requirements to implement minimum security measures as a condition of purchasing policies. Companies must carefully evaluate their insurance coverage needs, verify the compatibility of policies with regulatory requirements (particularly regarding incident notification, which may be subject to confidentiality clauses in policies), and consider alternative or complementary solutions such as captive insurance, risk retention groups, or self-insurance mechanisms.
An eighth consideration concerns the implications for small and medium-sized enterprises. Although NIS2 provides for the exclusion of micro and small enterprises through the size-capping rule, and the UK Bill adopts a functional criticality approach that could exclude many SMEs, these businesses are not completely exempt from obligations. First, SMEs operating in particularly critical sectors or playing a key role in the supply chain may be included within the scope. Second, SMEs providing services to obliged entities may be subject to contractual obligations imposed by their customers as part of supply chain risk management. Third, SMEs are still subject to the obligations of the GDPR and other sector-specific regulations requiring security measures. SMEs must therefore adopt proportionate cyber risk management strategies that take into account limited resources while still ensuring an adequate level of protection.
A comparative analysis of the NIS2 Directive and the UK Cyber Security and Resilience Bill highlights the substantial convergence of cybersecurity policy objectives between the European Union and the United Kingdom, but also the persistence of significant divergences in methodological approaches, regulatory techniques, and implementation mechanisms. This situation reflects a global cybersecurity regulatory landscape characterized by unresolved tensions between the need for international harmonization, necessary to address threats that transcend national borders, and the assertion of national regulatory autonomy, an expression of sovereign choices regarding the balance between security, innovation, and economic freedom.
NIS2 represents significant progress over the previous regime, broadening its scope, strengthening substantive obligations, intensifying enforcement mechanisms, and promoting transnational cooperation. However, it also raises significant interpretative and operational challenges, stemming from the complexity of the regulatory framework, its interaction with other European regimes, uncertainties regarding applicability criteria, and the need to ensure the proportionality and effectiveness of the imposed measures. The success of NIS2 will depend on the ability of Member States to transpose the Directive consistently and timely, of competent authorities to apply the regime proportionately and effectively, and of economic operators to implement the required measures substantively rather than merely formally.
The UK Cyber Security and Resilience Bill represents the United Kingdom's ambition to maintain high cybersecurity standards while asserting its regulatory autonomy post-Brexit. The British approach, characterized by greater flexibility, a preference for principles-based standards rather than prescriptive rules, and a more graduated sanctions regime but with the possibility of criminal liability for senior managers, reflects different legal and cultural traditions than continental Europe. The Bill's success will depend on the British Parliament's ability to pass balanced legislation that balances security and innovation, the NCSC's ability to exercise its functions effectively and collaboratively, and the UK's ability to maintain cooperative relations with the European Union on cybersecurity despite Brexit.
For companies operating across borders, the coexistence of distinct regulatory regimes creates additional complexity and costs, but it also offers opportunities to develop distinctive compliance capabilities, strengthen organizational resilience, and build competitive advantages through the adoption of high security standards. Compliance strategies should be based on an integrated approach that simultaneously considers European and UK requirements, prioritizes substantive measures over mere formalities, involves the management body in cybersecurity governance, and integrates cyber risk management into the overall corporate strategy.
Looking ahead, a move toward greater international convergence of cybersecurity standards is desirable, through cooperation between jurisdictions, the adoption of common technical frameworks, the development of mechanisms for mutual recognition of certifications, and the strengthening of operational cooperation in responding to cross-border incidents. This convergence, however, should not result in uncritical uniformity, but should preserve scope for regulatory experimentation, adaptation to national specificities, and virtuous competition between regulatory systems. Cybersecurity represents a global challenge that requires coordinated yet differentiated responses, capable of combining effective protection with respect for fundamental freedoms, regulatory rigor with proportionality of obligations, and international cooperation with respect for national sovereignty.