NIS2 and research organisations – UKSC2 comes into force on 3 April 2026

The implementation of NIS2 will come into force on 3 April 2026. This is also a key date for research organisations, as this is when the deadlines for registration in the list of important and key entities and the implementation of the required cybersecurity measures will begin. This raises the question: how will NIS2 affect research organisations and their obligations?

Are research organisations subject to NIS2?

The short answer is yes, but there are exceptions. The Act explicitly mentions ‘research organisations’ as one of the entities considered important. However, not every organisation conducting scientific research will qualify as such within the meaning of the regulations.

The legislator has applied a filter to determine whether an entity qualifies as a ‘research organisation’ in the context of NIS2. In other words, it is not enough to conduct research – several other conditions must also be met:

• Not be a key entity at the same time.
• Have legal personality or the status of an organisational unit without legal personality.
• Have research as its primary activity, not a secondary one.
• Use information systems in research processes.

In practice, this means that many laboratories, research and development centres and technology companies will be covered by NIS2/UKSC2, while others – especially those for which research is an add-on – will remain outside its scope.

It is worth remembering that the Act imposes an obligation to independently determine the status and submit a notification to the register of important and key entities. Failure to submit a notification may result in financial consequences.

Deadlines: what needs to be implemented and when?

The NIS2 Directive shifts responsibility for cybersecurity to the management level. Research organisations must clearly assign responsibility for security, e.g. by appointing a CSO, incorporating cyber risk into management oversight and ensuring adequate budgeting.

For a research organisation, this is a paradigm shift: security becomes part of strategic decisions – it influences research priorities, partnership policies and how intellectual property is protected.

Key dates:

• 3 April 2026 – UKSC2 enters into force,
• by 3 October 2026 – obligation to register in the list of important and key entities,
• by 3 April 2027 – deadline for full implementation of the regulations,
• from 3 April 2028 – possibility for the supervisory authority to impose financial penalties.

For research organisations, this means that implementation must be planned immediately.

Key responsibilities of research organisations covered by NIS2

• Verification of status and registration – determining whether an entity is subject to the regulations and reporting it to the register.
• Risk analysis and countermeasures – up-to-date risk analysis; access control; encryption; vulnerability management; network segmentation; backups and recovery procedures.
• Implementation of an Information Security Management System (ISMS) – preparation of policies, procedures, documentation and regular reviews and updates.
• Incident management and reporting – detection, response, reporting of serious incidents to the appropriate CSIRT.
• Business continuity – contingency plans, recovery tests and scenario exercises.
• Supply chain security – risk identification and contract clauses, supplier audits.
• Monitoring and technical testing – pentests, vulnerability scanning, event monitoring and logging.
• Security culture – training and access management.
• Management responsibility and governance – assigning responsibility at the management level: appointing a CSO/representative, budget, accountability mechanisms and regular reports.
• Readiness for supervision – complete documentation and preparation for audits.

How can KWKR help with NIS2?

The implementation of NIS2 is not only a legal obligation. It is a real competitive advantage – data security and operational resilience increase the credibility of an organisation as a research partner.

KWKR offers comprehensive support: from status verification and audits to the complete preparation of documentation and representation before supervisory authorities.

What we offer (areas of support):

• eligibility assessment – whether a given organisation is subject to NIS2/UKSC2, and if so, in which category (important/key entity),
• gap audit – we examine whether the organisation’s policies, procedures and operating schemes comply with the new legal requirements and to what extent they need to be supplemented/remodelled;
• implementation – we prepare, in cooperation with the organisation and external entities (e.g. pentesting and training companies), the necessary documents – policies, procedures, instructions, corporate documents, job descriptions, regulations and model contractual clauses – everything to address the requirements introduced by NIS2/ UKSC2 in the area of Information Security Management Systems,
• we conduct training – in particular introductory training on legal obligations, the legal architecture of the ISMS and others,
• we prepare, negotiate and review contracts, including those with managed service providers in the field of cybersecurity (e.g. for pentests, training, Security Operation Centre services), ICT providers within the supply chain;
• we advise on all legal issues related to new cybersecurity regulations,
• we represent clients in proceedings before administrative authorities and courts, e.g. in the registration of important and key entities.

Early action reduces the risk of sanctions and protects intellectual property and reputation.