Blog

New cyber legislation – what businesses need to know

Cyber Security

Data & AI

View more blogs

Authors
A portrait‑style photograph of a person shown from the shoulders up against a plain, light‑coloured background. They have dark red, shoulder‑length hair worn loose and are wearing glasses with dark frames and a dark, long‑sleeved top. The image is softly lit and closely cropped, giving the feel of a casual, indoor head‑and‑shoulders photo.
Rosalind Grindrod
Rosalind Grindrod

Former Head of Security Services

Profile
Insights

New cyber legislation from both the EU and the UK will provide added security assurance and introduce new requirements for businesses. By ensuring that more essential digital services are protected, the changes will significantly shape the future of data protection for UK organisations – with higher fines and penalties for organisations that fail to comply. 

In today’s interconnected digital landscape, where information flows seamlessly across international borders, the need for robust cybersecurity measures has never been more pronounced.  

Recognising the critical importance of a united front against cyber threats, European policymakers have taken a significant leap forward with the introduction of two new pieces of legislation designed to protect the digital infrastructure of member states. 

The European Parliament has approved two new pieces of legislation – the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). Since 18 October 2024, European Union (EU) member states have been required to transpose NIS2 into national law, while DORA will come into force from 17 January 2025.  

The UK’s departure from the EU in 2020 means that these new pieces of EU legislation will not apply in themselves to organisations operating services solely within the UK, but will apply to UK and other organisations that operate essential services inside the EU.   

The UK government has signalled its intention to build on the foundations through a new Cyber Security and Resilience Bill, which aims to “strengthen our defences and ensure that more essential digital services than ever before are protected”.  

The new UK legislation, while containing some key differences to the new EU laws, will expand the remit of regulation to protect more digital services and supply chains than existing UK cyber regulations. So it seems likely that, as it has with its own version of EU GDPR (General Data Protection Regulations), the UK government will adopt the principles of NIS2 in future and may even adopt NIS2 itself. 

A person with short, reddish‑brown hair sits against a plain, light‑coloured background. They wear dark glasses and a casual top.
A person with short, reddish‑brown hair sits against a plain, light‑coloured background. They wear dark glasses and a casual top.

What are NIS2 and DORA?

What NIS2?
This directive applies to operators of essential services (OES) in critical sectors such as energy, transport, banking, financial market infrastructures, health and digital infrastructure. It also covers digital service providers (DSPs), including online marketplaces, search engines, and cloud computing services.  

NIS2 replaces the original NIS Directive (EU) 2016/1148. NIS2 is Directive (EU) 2022/2555, adopted in December 2022, which mandates enhanced cybersecurity requirements for member states and is stricter than its predecessor, expanding to cover more sectors and entities. 

By focusing on critical sectors and digital service providers, the directive aims to mitigate the impact of cyber threats and incidents that could have wide-ranging consequences on essential services and the overall economy. NIS2 builds upon this directive. 

What is DORA? 
This focuses on ensuring the digital operational resilience of the EU’s financial sector, recognising the sectors increased reliance on digital technologies. It aims to ensure organisations providing these technologies identify and protect critical IT systems, have adequate incident response and business continuity plans, manage risk appropriately and ensure supply chain risks are identified and treated. For DORA, member states must implement compliance by 17 January 2025. 

All organisations that fall under the scope of either piece of legislation (NIS2 or DORA) must comply with their individual requirements. And the new UK legislation will impose requirements on most organisations, including those in the public, private or non-profit organisations. 

It is important to understand the gap between compliance and non-compliance to develop a manageable roadmap – and to explore and understand the comprehensive list of requirements for NIS2 and DORA. 

Once organisations have established a roadmap, they will need to determine resource and competency requirements, then deliver against them. 

What does this mean for organisations?

A brass padlock sits on a laptop keyboard illuminated by red and green lighting. The setup suggests a theme of digital security or data protection.

What are the penalties for non-compliance?

Like GDPR, fines for non-compliance can be severe. Essential entities face fines up to €10 million or 2% of annual turnover and “Important entities”, a category defined within the NIS2 directive, may face up to €7 million or 1.4% of turnover. 

DORA penalties might vary across member states since implementation details could differ. However, the maximum financial penalties are expected to align with other EU regulations to ensure a uniform compliance standard. 

Hands type on a laptop keyboard displaying green code on the screen. A computer mouse sits beside the laptop on a clean desk.

How can organisations prepare?

There are key steps any organisation can take to understand their risk landscape and to recognise the impact of this legislation. These include: 

  1. Evaluating your business, and determining whether you are in scope for either NIS2 or DORA


  2. Identifying your incident notification requirements and build them into your playbooks or plans – under NIS2, prompt reporting of significant incidents to relevant authorities is critical. 

  3. Taking proportional technical, operational and organisational measures to manage the risks posed to the systems 

  4. Updating your policies, ensure they are fit for purpose and set the strategic direction for the procedures that follow 

  5. Training and educate your people, empower them as users. 

  6. Evaluating your supply chain; both NIS2 and DORA require organisations to evaluate their third-party suppliers and contracted services that may impact operational resilience or expose the organisation to cyber risks. 

These two directives, with a core focus on fortifying critical infrastructure and promoting cross-border cooperation, embody the EU's commitment to a secure and resilient cyberspace.  

Final thoughts

As technology advances and cyber threats evolve, both NIS2 and DORA serve as beacons, guiding member states towards a harmonised approach in the face of digital challenges. NIS2 and DORA are essential in the EU’s broader digital resilience strategy, aligning with other initiatives like the EU Cybersecurity Act and EU Cybersecurity Strategy. Alongside these, when enacted in the UK, the new Cyber Security and Resilience Bill will strengthen defences and to cover more essential digital services than ever before. 

By fostering risk management, incident reporting, and stringent enforcement, these new legislative changes transcend national borders, creating a collective defence that reinforces the foundations of our interconnected world. 

Related Content

Blog post

I was Opencast’s first secondee into government – here’s how it went

This summer, Senior Enterprise Architect Paul Crisp became the first Opencast employee to complete a secondment into government through the Civil Service Digital Secondment Programme – after spending a year at National Savings and Investments (NS&I). He describes his experiences, including the challenges, opportunities and lessons he’s learned.

IT Architecture

|

Government

Read more

Blog post

I was Opencast’s first secondee into government – here’s how it went

This summer, Senior Enterprise Architect Paul Crisp became the first Opencast employee to complete a secondment into government through the Civil Service Digital Secondment Programme – after spending a year at National Savings and Investments (NS&I). He describes his experiences, including the challenges, opportunities and lessons he’s learned.

IT Architecture

|

Government

Read more

Blog post

Two people standing on stage in front of a dark backdrop with colorful accents; one is holding a microphone, and the other stands near a laptop on a podium.
Agentic AI: opportunities and challenges – and how to navigate them responsibly

Agentic AI represents a significant leap beyond traditional automation. These ‘digital coworkers’ are proactive, goal-oriented assistants – and the technology has profound implications across industry, with the potential to transform services by working in real-time, 24/7. The adoption of agentic AI also introduces a new set of challenges – with rapid evolution of the technology outpaces regulatory frameworks, careful consideration is needed of ethical, legal and operational risks. the emerging opportunities, challenges and approaches to best practice in this space? 

Data & AI

Photo of Marianne O'Loughlin in a blue dress standing in a hallway smiling and looking off to the side of shot

Read more

Blog post

Two people standing on stage in front of a dark backdrop with colorful accents; one is holding a microphone, and the other stands near a laptop on a podium.
Agentic AI: opportunities and challenges – and how to navigate them responsibly

Agentic AI represents a significant leap beyond traditional automation. These ‘digital coworkers’ are proactive, goal-oriented assistants – and the technology has profound implications across industry, with the potential to transform services by working in real-time, 24/7. The adoption of agentic AI also introduces a new set of challenges – with rapid evolution of the technology outpaces regulatory frameworks, careful consideration is needed of ethical, legal and operational risks. the emerging opportunities, challenges and approaches to best practice in this space? 

Data & AI

Photo of Marianne O'Loughlin in a blue dress standing in a hallway smiling and looking off to the side of shot

Read more

Blog post

a group of four people sitting on a sofa and chairs sit in front of a screen in a room full of people
How can we make innovation happen in healthcare?

In a sector where the ambition to innovate responsibly and improve patient outcomes is already widely shared, the real challenge for UK healthcare lies in making it happen. This means navigating organisational complexity, skills gaps, limited capacity, infrastructure challenges and leadership hurdles. How the healthcare sector can move beyond ideas and into delivery was at the heart of the debate at June’s Opencast discussion for TechNExt 2025. 

Healthcare

Read more

Blog post

a group of four people sitting on a sofa and chairs sit in front of a screen in a room full of people
How can we make innovation happen in healthcare?

In a sector where the ambition to innovate responsibly and improve patient outcomes is already widely shared, the real challenge for UK healthcare lies in making it happen. This means navigating organisational complexity, skills gaps, limited capacity, infrastructure challenges and leadership hurdles. How the healthcare sector can move beyond ideas and into delivery was at the heart of the debate at June’s Opencast discussion for TechNExt 2025. 

Healthcare

Read more

Blog post

I was Opencast’s first secondee into government – here’s how it went

This summer, Senior Enterprise Architect Paul Crisp became the first Opencast employee to complete a secondment into government through the Civil Service Digital Secondment Programme – after spending a year at National Savings and Investments (NS&I). He describes his experiences, including the challenges, opportunities and lessons he’s learned.

IT Architecture

|

Government

Read more

Blog post

Two people standing on stage in front of a dark backdrop with colorful accents; one is holding a microphone, and the other stands near a laptop on a podium.
Agentic AI: opportunities and challenges – and how to navigate them responsibly

Agentic AI represents a significant leap beyond traditional automation. These ‘digital coworkers’ are proactive, goal-oriented assistants – and the technology has profound implications across industry, with the potential to transform services by working in real-time, 24/7. The adoption of agentic AI also introduces a new set of challenges – with rapid evolution of the technology outpaces regulatory frameworks, careful consideration is needed of ethical, legal and operational risks. the emerging opportunities, challenges and approaches to best practice in this space? 

Data & AI

Photo of Marianne O'Loughlin in a blue dress standing in a hallway smiling and looking off to the side of shot

Read more

View more blogs

Services

DevOps, cloud and platform engineering

Architecture

User-centred design

Data

Software, digital & technical delivery

Legal

Terms and conditions

Privacy policy

Modern slavery statement

Company

Careers

Contact

© Opencast 2026

Registered in England and Wales

Services

DevOps, cloud and platform engineering

Architecture

User-centred design

Data

Software, digital & technical delivery

Legal

Terms and conditions

Privacy policy

Modern slavery statement

Company

Careers

Contact

© Opencast 2026

Registered in England and Wales

Services

DevOps, cloud and platform engineering

Architecture

User-centred design

Data

Software, digital & technical delivery

Legal

Terms and conditions

Privacy policy

Modern slavery statement

Company

Careers

Contact

© Opencast 2026

Registered in England and Wales

Home

About

Services

Clients

Insights

Careers

Get in touch