UK Cyber Security and Resilience Bill vs. EU NIS2
Confusion between the new UK legislation and the European Directive is common. This is the definitive disambiguation resource for compliance leaders operating across jurisdictions.
Are they the same law?
No. They are distinct legal frameworks.
The EU NIS2 Directive applies to EU member states. The UK Cyber Security and Resilience Bill (CSRB, Bill 329) applies to the United Kingdom. Although both evolve from the original NIS Directive (2016), the UK has chosen a divergent path focused on supply-chain "near misses" and specific regulation of MSPs and data centres, rather than NIS2's broad sector-based approach.
Regulatory comparison matrix
How the two regimes differ across the dimensions that matter for compliance.
| Feature | UK Cyber Security and Resilience Bill (Bill 329) | EU NIS2 Directive |
|---|---|---|
| Jurisdiction | United Kingdom only | 27 EU member states |
| Key targeted sectors | MSPs, data centres, essential services (water, energy, transport, health, digital). | 18 sectors (energy, transport, banking, space, waste water, food, etc.) |
| Maximum penalty | £17M or 4% global turnover | €10M or 2% global turnover (essential entities) |
| Incident reporting | 24h initial · 72h full Includes "near misses" | 24h early warning · 72h incident notification |
| Supply chain | Direct regulation of "critical suppliers" (Reg 14H); MSPs treated as a risk vector. | Entities must manage the security of their own supply chains. |
| Cost recovery | Yes - regulators can recover investigation costs from non-compliant entities. | Varies by member-state implementation. |
Need to map your compliance across both regimes?
Many international organisations must comply with both. Our gap-analysis service identifies overlapping requirements to save you duplication of effort.
Get a multi-jurisdiction assessment