Check your NIS2 compliance readiness. Free scored assessment covering risk management, incident reporting, supply chain and governance. Results in minutes.
NIS2 is the EU's second Network and Information Security Directive, formally Directive (EU) 2022/2555, which EU Member States were required to transpose into national law by 17 October 2024. It strengthens cyber duties for essential and important entities across critical sectors. The UK is no longer in the EU, so NIS2 does not apply to the UK directly. It can still reach a UK organisation that operates in the EU, offers services there, or sits in the supply chain of an EU entity that is in scope. UK organisations should know their position rather than assume it does not touch them.
It is the UK's plan to modernise the Network and Information Systems Regulations 2018. The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025 and is progressing through Parliament now. It expands who is regulated, including managed service providers and data centres, strengthens incident reporting, and increases regulators' powers. It is an incoming regime: the detail of many duties will follow in secondary legislation, so this checklist is a head start, not a compliance verdict.
It is a mix, which is exactly why readiness matters now. NIS2 is in force in the EU and Member States have been transposing it into national law since the 17 October 2024 deadline. The UK Cyber Security and Resilience Bill is still moving through Parliament and is not yet law, with much of the operational detail due in secondary legislation. We describe both honestly as emerging or incoming regimes. Acting early is far cheaper than reacting to a commencement date or a supplier's questionnaire.
The six dimensions map to NIS2, specifically Article 20 on governance and board accountability, the ten risk-management measures in Article 21(2), and the incident reporting duties in Article 23, alongside the NCSC Cyber Assessment Framework version 4.0, released in August 2025, which UK regulators are expected to use to assess resilience. These are named in the methodology note and on your results.
Both regimes demand speed. Under NIS2 Article 23, a significant incident needs an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month. The UK Bill mirrors the front end with an initial notification within 24 hours and a fuller report within 72 hours. The practical test for a board is simple: if a serious incident hit today, could you actually produce those reports in time? Most organisations cannot until they have rehearsed it.
Under NIS2, essential entities can face fines up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher, and important entities up to 7 million euros or 1.4%, as set out in Article 34. For the UK Bill, the government has said maximum penalties will rise and align more closely with regimes such as GDPR, but exact UK figures depend on the legislation as it is finalised, so we do not quote a specific UK number here. The point for a board is that the financial and personal accountability stakes are rising under both.
No. This is a self-assessment and a board-ready signal, not an audit, a certification or legal advice. It shows where your cyber resilience is strong and where it is exposed, mapped to recognised frameworks, so you know where a deeper review would pay back. Because the UK Bill is still emerging and the detail will arrive in secondary legislation, no self-assessment can confirm compliance. A formal scope and gap assessment, with legal input where needed, is the right next step if you are likely in scope.
UK mid-market and non-profit boards, chief executives, trustees, COOs, CFOs and the leaders responsible for technology and risk. It is written in plain business language, so no technical knowledge is needed. It is built for the person who has to answer to the board for cyber resilience, not for a security engineer. If you run essential services, digital services, managed services or a data centre, or you supply someone who does, it is especially relevant.
Eighteen questions, three per dimension, each scored from one for the weakest position to four for the strongest. The six dimensions carry equal weight, and your points are normalised to a true 0 to 100 scale, where 0 is the weakest possible position and 100 the strongest, with no hidden floor inflating the result. You are placed in one of four tiers, Exposed, Developing, Managed or Resilient, and shown each dimension as a percentage, with your weakest areas named alongside what to do about them. It takes about seven minutes. Answer based on what is true today, not what you intend to put in place.
No. Starkhorn is an independent technology consultancy. We do not certify, we do not sell insurance or cyber products, and we take no commission. We help boards and leaders design and run the governance and resilience that regimes like NIS2 and the Cyber Security and Resilience Bill expect. This checklist is free and exists to show you where you stand and where a deeper look would pay back.