Steven Kenny of Axis Communications, Board Director of ASIS International UK, and EMEA Advisor Council for TiNYg discusses the importance of security-first preparation for compliance
Please introduce yourself?
I’m Steven Kenny, Manager of the Architecture & Engineering Program at Axis Communications for the EMEA region, and Board Director for ASIS International UK. I’ve been working in the security sector for over two decades, contributing to mission-critical, high-profile projects across various vertical markets. Over the last twelve years, I’ve focused on how security technologies can support business security strategies, while championing the importance of cybersecurity and compliance in the physical security space. I lead a team of Architect and Engineering Managers across EMEA and actively support industry associations and standards organisations. I’m currently part of the EMEA Advisor Council as the emerging technology lead for TiNYg (the Global Terrorism Information Network) and also serve on several standards committees that focus on IoT security and private security management under the BSI.
The UK isn’t adopting NIS 2 post-Brexit. Why should UK businesses still pay attention?
That’s a very timely question. Although the UK government chose not to adopt the EU’s updated Network and Information Security Directive, or NIS 2, the assumption that UK organisations are exempt from its influence is a dangerous misconception. Compliance with NIS 2 guidelines remains essential, and there are three key reasons for that.
First, many EU-based businesses – especially those operating in critical infrastructure – will only engage with partners who are demonstrably NIS 2-compliant. Second, the UK’s own government has proposed reforms to the current NIS Regulations that strongly reflect the goals of NIS 2. While the Cyber Security and Resilience Bill hasn’t been introduced formally yet, the Department for Science, Innovation and Technology has already shared plans for legislation that closely mirrors NIS 2 in both scope and enforcement. So, while NIS 2 might not apply legally, its spirit absolutely does.
In addition to NIS 2, the EU has introduced the Cyber Resilience Act (CRA). How does that fit into the picture?
The CRA is a crucial piece of the puzzle. It complements NIS 2 by extending cybersecurity requirements to the product level – specifically hardware and software – and to the companies that manufacture, import, or distribute those products. Originally proposed in 2022 and adopted in 2024, the CRA is set to come into effect in 2025, with most of its requirements becoming enforceable in 2027.
What’s important is that this regulation doesn’t just affect those operating within the EU. It impacts everyone who supplies to the EU, directly or indirectly. That includes UK suppliers, distributors, and installers. Even if these businesses aren’t themselves covered by EU law, their customers likely are – and that changes everything. With long product lifecycles, especially for physical security systems like network cameras or access control solutions, selecting compliant technologies now is a strategic necessity.
So for UK organisations, how do these regulations affect commercial decisions?
In a word – profoundly. Whether under NIS 2 or the CRA, UK companies looking to maintain or grow their footprint in the EU need to put cybersecurity at the core of what they do. Non-compliance could mean losing out on opportunities or, in the worst-case scenario, being shut out of entire markets. For organisations handling EU data or trading with EU partners, cybersecurity is no longer a nice-to-have – it’s a prerequisite.
The financial penalties for non-compliance are significant too. Under NIS 2, fines can reach up to €10 million or 2% of global revenue. But I’d argue the bigger issue is trust. EU organisations can’t afford to partner with businesses that jeopardise their own compliance or security posture. If a company can’t demonstrate that it meets modern security expectations, it simply won’t make it through procurement.
Beyond legal or commercial risks, what strategic benefits does adopting NIS 2 offer?
One of the most overlooked aspects of NIS 2 is how useful it is as a framework for improving business resilience. It’s not just about jumping through hoops. It’s a comprehensive guideline for how organisations can embed security best practices at every level – from infrastructure and operations to policies and culture.
For UK businesses, adopting NIS 2 voluntarily makes a lot of sense. It future-proofs operations against the inevitable tightening of domestic cybersecurity laws and enables fast-track compliance when the UK’s own legislation comes into force. But more importantly, it positions organisations to deal with emerging threats more effectively. Security isn’t just a cost – it’s a business enabler.
