NIS2 is the second version of the EU Network and Information Security Directive. For the first time, it names IT managed services and managed security services as in scope. It covers essential entities (energy, transport, banking, health) and important entities (manufacturing, food, digital providers).
It depends on where your clients operate, not only where you are registered. You serve only UK clients: NIS2 does not bind you directly. You serve clients that operate in EU member states: those clients will push NIS2-style requirements down to you through supply chain obligations.
The Cyber Security and Resilience Bill is expected to bring managed service providers under formal oversight in the UK, aligned in spirit with NIS2 though not identical in detail. The direction is clear even while the exact text is still moving.
Risk management with documented security measures. Incident reporting within 24 hours of becoming aware. Supply chain security assessments. Management accountability where senior leaders can be held personally responsible.
A documented information security policy, evidence of access control and enforced MFA, an incident response plan with 24-hour and 72-hour reporting timelines, backup and continuity testing results, and a named accountable owner.