An anonymous survey of 250 UK CISOs and OT security leads finds that the majority of essential and important entities have significant readiness gaps across OT-specific controls, supply chain risk management, and incident reporting capability.
Two years after NIS2 came into force across the European Union, and with UK equivalents shaping domestic regulatory expectations, the majority of UK organisations classified as essential or important entities have not achieved adequate readiness across the directive's ten core requirements. That is the finding of a new survey conducted by e2e-assure, published on 28 May 2026, which measured compliance readiness across 250 UK CISOs and OT security leads using a standardised ten-dimension framework.
The survey assessed readiness across ten dimensions including supply chain risk management, OT-specific security controls, incident reporting capability, board-level governance, and vulnerability handling processes. OT-specific controls produced the lowest readiness scores, with 58% of respondents falling below the defined threshold. Supply chain risk management was the second weakest dimension at 54% below threshold.
These findings are consistent with independent research published in the e2e-assure OT Security Review 2026, based on Censuswide survey data from January 2026 covering 250 cybersecurity decision makers across UK CNI and manufacturing. The OT Security Review found that only 18% of surveyed organisations are fully compliant with NIS2, with 78% not yet meeting compliance requirements. IEC 62443, the primary OT-specific standard, showed even wider gaps: 17% fully compliant and 79% not yet. These figures suggest that for the majority of UK organisations in scope, compliance is a declared priority without a completed roadmap.
Incident reporting capability showed the sharpest variation by sector: energy and water operators scored significantly higher than manufacturing and transport, reflecting the regulatory attention those sectors have historically received from OFGEM and Ofwat.
Board-level governance scored higher than technical controls overall, but the detail is more nuanced. When respondents were asked whether their board received quarterly cyber risk reporting that specifically addressed OT environments, only 29% confirmed this was the case. The majority reported that board-level cyber reporting either did not distinguish IT from OT risk, or covered cybersecurity only when a specific incident triggered discussion.
NIS2 places explicit accountability on board members and management, including provisions for personal liability in cases of demonstrated negligence. An organisation that cannot evidence regular board-level OT risk oversight is in a weak position to demonstrate proportionate governance to a regulator.
Water and energy operators reported the highest readiness scores overall, driven by longstanding sector-specific regulatory requirements. Manufacturing reported the lowest aggregate scores, with 67% of manufacturing respondents below threshold on OT-specific controls.
The OT Security Review found that the most common areas receiving formal budget allocation for regulatory programmes are NIS2 (37%), the Cyber Security and Resilience Bill (35%), and the Cyber Assessment Framework (33%). Budget allocation, however, does not equate to compliance achievement. The gap between organisations that have allocated budget to NIS2 and those that have achieved full compliance remains substantial.
e2e-assure provides NIS2 compliance support services to UK essential and important entities, including gap assessments against NIS2 Article 21 technical controls, incident response planning, and OT-specific security control implementation. The survey report, including sector-level scoring and breakdowns by named dimension, is available at e2e-assure.com.
For more information on e2e-assure's NIS2 compliance support, visit e2e-assure.com.
e2e-assure is a UK-based managed SOC and cybersecurity company specialising in IT/OT security, threat detection and response, and cyber assessment services for critical national infrastructure and industrial operators. Founded by Rob Demain, e2e-assure operates the Cumulo platform, purpose-built for unified IT/OT monitoring. The company serves clients in manufacturing, energy, water, and transport across the United Kingdom.