Emerging threats
Strengthening national cyber security and resilience with NIS2
The Network and Information Security Directive 2 (NIS2) is the EU’s latest directive aimed at strengthening cyber security and resilience across key sectors. It replaces the original NIS Directive with a broader scope and stricter obligations designed to protect critical services from today’s rapidly evolving cyber threat landscape, ensuring the overall resilience and security of EU Member States at a national level.
NIS2 introduces significant improvements in risk management and incident response obligations:
- Stronger governance: Boards and senior leadership now have explicit accountability for cyber risk management
- Enhanced risk management including supply chain security, encryption and vulnerability disclosure, business continuity and recovery, and faster incident reporting timeframes
- Expanded scope: Includes new sectors (e.g.,public administration, manufacturing and IT service management)
- Clearer entity classification: Essential Entities (e.g., energy, transport, finance, health) and Important Entities (e.g., manufacturing, IT management, food)
- Size-based inclusion criteria: Small and micro entities can now be included based on criticality
- Mandatory group-level compliance: Subsidiaries of large groups cannot be exempted if the parent organisation is in scope
NIS2 risk management & incident response
NIS2 mandates that in scope entities must implement robust risk management and incident response measures, broken down into the following areas (with 4 and 5 most relevant for governments and nationally significant organisations):
The five areas of the NIS2 framework:
1. Cyber security risk management
Entities must implement robust policies and procedures across key areas including:
- Business continuity
- Information security
- Risk analysis
- Incident handling
- Supply chain security
2. Notification obligations
Entities must notify a designated national competent authority of cyber security incidents within the following timeframes:
- 24 hours initial notification
- 72 hours full report
- Monthly recovery updates
- Submission of post incident report
3. Cyber security information sharing
Entities must share cyber threat intelligence via trusted networks to strengthen collective cyber defences.
Who: Government agencies, national CSIRTs, private sector, cybersecurity firms, critical infrastructure operators
What: Information on new cyber threats, ongoing attack warnings, and best practices
Why: To prevent threat spread, speed up response times, and reduce financial and operational impact
4. National cyber crisis management frameworks
EU Member States need cyber crisis management frameworks to ensure a coordinated and effective response to nationally significant cyber incidents, including:
- National incident readiness
- Detection & categorisation
- Criminal investigation
- Strategic Response
- Incident management
5. National cyber security strategy
Each Member State must develop a comprehensive national strategy including:
- Objectives & priorities
- Governance & responsibilities
- Risk management
- Incident response
- Supply chain security
- Education & workforce development
Our services
We deliver end-to-end cyber security solutions tailored to NIS2 compliance, combining strategic consultancy, incident response, and information security with robust training and capacity building programmes.
Our proven expertise in building national and organisational cyber resilience ensures our clients are prepared to manage risks, maintain strong defences, and respond effectively to cyber threats across all relevant sectors.
Cyber security consultancy
Developing a comprehensive cyber security strategy aligned with NIS2 requirements.
Business continuity planning
We help clients plan, prepare for and respond effectively to cyber incidents, ensuring uninterrupted operations in a crisis.
This includes implementing Business Continuity Management Systems (BCMS) aligned with ISO 22301 and NIS2 requirements for effective resilience and recovery.
Incident preparedness and response
We help organisations prepare for and respond to cyber incidents with speed and confidence.
We design and test incident response plans and playbooks, defining incident categories, and ensuring coordination across teams, to minimise operational disruption.
Information security management
Auditing and implementing controls to protect sensitive data and critical systems.
Supply chain security
Assessing and securing third-party vendor relationships.
National Incident Management Framework implementation
We work with governments, regulatory bodies and critical infrastructure operators to design and implement national-level frameworks that define clear roles, responsibilities, and coordinated processes for managing cyber incidents across sectors and stakeholders.
Training and capacity building programmes
We deliver tailored training programmes designed to upskill personnel, enhance cybersecurity awareness, and build capability to run effective cyber exercises aligned with international best practices.
Why choose PGI?
PGI offers in-depth, established expertise in building and enhancing national and organisational cyber resilience.
We provide comprehensive, strategic services including incident response, business continuity, risk management, and information security, making us a trusted partner for all areas of NIS2 compliance.
Global trusted partner
We’ve successfully supported over fifty governments with incident response and resilience building across five continents
Collaborative approach
We work closely with stakeholders across key sectors and governments to ensure incident response frameworks are practical, widely adopted, and support cross-sector coordination.
Leaders in incident response
Our team have an established international reputation as a provider of incident preparedness and response expertise to governments, international agencies and corporate entities.
The 2025 UK Cyber Resilience Bill
The UK's upcoming Cyber Resilience Bill will establish a national framework to strengthen cyber defences, aligned with NIS2 and international cyber security standards. It is expected to impact UK organisations providing critical services, MSPs, supply chain partners and public sector firms and bodies.
The recently published Cyber Governance Code of Practice closely aligns with both NIS2 and the upcoming 2025 UK Cyber Resilience Bill, and early implementation will be critical to minimise disruption ahead of future regulations.
Start preparing for the changes now
New cybersecurity laws can be daunting, but we’re here to ease the process. We can help ensure that your organisation not only meets current cyber security regulations but is also prepared for these future changes.
If your organisation is already certified to ISO 27001 (Information security) or ISO 22301 (Business continuity), you should already be well positioned for the upcoming bill. However, it's essential to review your incident reporting, governance responsibilities, and supply chain security to ensure full compliance before the bill is implemented.
We're here to help! Get in touch with us today to find out how we can support you.
UK organisations that operate in the EU should also consider that they may already fall into scope of the NIS 2 directive and the cyber resilience bill.
Digital Investigations, Cyber security and Capacity Building
Detect
We work at the cutting edge of threat detection, continually scanning the horizon for next-generation risks.
Protect
Whether you use the term cyber security, digital security, or technical security, we believe in providing simple, effective and affordable solutions that fit your requirements.
Build
Our globally trusted Build team develops long-term digital resilience for national governments, NGOs, institutions and corporates.