This EU legislation set out rules to protect cybersecurity in 18 critical sectors. Law firms can come within the scope of NIS2 depending on their size, services and client base. And given the concentration on the supply chain, law firms are likely to be asked to demonstrate their cyber readiness. UK firms already adapting to NIS2 for EU clients and activities will now need to comply with new UK laws as well.
The bill will widen the net of regulation, placing new responsibilities on businesses once considered too small to be affected. It’s vital for SME law firms to understand the changes for their own operations but also for the advice they provide to clients.
The key changes
One major change is the inclusion of managed service providers (MSPs). Though the definition is still under consultation, it is expected to include a wide range of B2B IT service providers, with an estimated 900–1,100 organisations potentially brought under the scope of the new regime.
Incident reporting requirements will also tighten. Organisations must report significant cyber incidents within 24 hours, followed by a detailed report within 72 hours. These reports must go to both the relevant regulator and the National Cyber Security Centre (NCSC), with potential obligations to inform customers as well.
Regulatory powers are also expanding. The Information Commissioner’s Office (ICO) will gain enhanced authority to demand information, serve notices and enforce compliance, especially for MSPs. The government is further considering whether to classify data centres as part of the UK’s critical national infrastructure, which would place them under stricter oversight.
Firms could also be designated as critical service providers (CSPs) if their services are deemed essential. This would bring additional regulatory scrutiny, even for smaller businesses. To fund this broader regime, the bill proposes an enhanced registration system with mandatory fees — a potentially significant financial burden for SMEs.
Practical tips to prepare
Firms should start by monitoring developments closely to understand how the bill might apply to them or their clients. Review internal processes and reporting procedures, ensuring they align with the new timeframes. Cyber incident response teams should be ready to act fast, ideally within 24 hours, and rehearsing realistic scenarios is key to improving performance under pressure.
Law firms should also review supplier contracts, requiring timely incident notification, and assess whether their technical and organisational measures are sufficient to protect against evolving threats, including those driven by AI. Boards and audit committees must be briefed, and firms should consider obtaining specialist advice to navigate the new regime.
This isn’t just about compliance — it’s about resilience. Preparing now will help law firms protect their clients, their data and their reputation in a rapidly changing digital world.
