NIS2 - ignore at your peril

Approximately 80% of businesses are confident in adhering to NIS2, yet 66% will miss the compliance deadline.

  • Tuesday, 1st October 2024 Posted 1 month ago in by Phil Alsop

 Organizations are navigating a landscape of mixed emotions as the Network and Information Security Directive 2022/2555 (NIS2) enforcement date approaches. NIS2, a regulation aimed at strengthening cybersecurity across the EU by expanding the scope and increasing the rigor of security requirements, goes into effect on 18 Oct. 2024. Veeam® Software, the #1 market leader by market share in Data Resilience, commissioned a new survey from Censuswide that revealed that only 43% of EMEA IT decision-makers believe NIS2 will significantly enhance EU cybersecurity. This is despite an overwhelming 90% of respondents reporting at least one security incident that the NIS2 directive could have prevented in the past 12 months. Alarmingly, 44% of respondents experienced more than three cyber incidents, with 65% of those categorized as “highly critical”.

The survey results, which encompass the views of 500+ IT decision-makers from Belgium, France, Germany, the Netherlands, and the UK, revealed the state of play less than a month before this directive takes effect on Oct. 18. Although nearly 80% of businesses are confident in their ability to eventually comply with NIS2 guidelines, up to two-thirds state they will miss this imminent deadline.

Barriers to NIS2 Compliance

Achieving NIS2 compliance requires businesses to implement essential measures, such as defining incident response plans, securing supply chains, assessing vulnerabilities, and evaluating overall security levels. This includes all affiliated organizations, partners, and supply chains. However, several barriers to compliance persist. Key challenges cited by IT decision-makers include technical debt (24%), lack of leadership understanding (23%), and insufficient budget/investments (21%). Notably, 40% of respondents reported decreased IT budgets since the political agreement for NIS2 was proclaimed effective in January 2023, despite its stringent penalties, which are comparable to those of the EU's flagship data privacy legislation, the General Data Protection Regulation (GDPR). 63% of respondents view the GDPR as strict, and 62% express the same sentiment about NIS2.

Competitive Pressures Amid Cyberthreats

The slow pace of NIS2 adoption is likely due to the multitude of competing priorities and business pressures that face these organizations. Respondents rank NIS2 lower in urgency than ten other issues, including the skills gap, profitability, and digital transformation. Worryingly, 42% of respondents who consider NIS2 insignificant for EU cybersecurity improvements attribute this to inadequate consequences of non-compliance, which has led to widespread apathy towards the directive.

Additional key findings from the survey include:

74% of respondents see NIS2 as beneficial, but 57% doubt it will have any substantial impact on overall EU cybersecurity posture.

Sceptics cite additional concerns such as NIS2's lack of comprehensiveness (35%), belief that compliance doesn’t guarantee security (34%), and overlap with existing regulations (25%).

Other barriers include a lack of focus on NIS2 compliance (20%), tight timelines (19%), cybersecurity skills shortage (19%), directive complexity (19%), and organizational silos (19%).

Despite conflicting views, most respondents perceive NIS2 positively in the context of their organization's regulatory obligations, feeling optimistic (33%), confident (32%), and encouraged (27%).

Andre Troskie, EMEA Field CISO at Veeam, stated: “NIS2 brings responsibility for cybersecurity beyond IT teams into the boardroom. While many businesses recognize the importance of this directive, the struggle to comply found in the survey highlights significant systemic issues. The combined pressures of other business priorities and IT challenges can explain the delays, but this does not lessen the urgency. Given the rising frequency and severity of cyberthreats, the potential benefits of NIS2 in preventing critical incidents and bolstering data resilience can't be overstated. Leadership teams must act swiftly to bridge these gaps and ensure compliance, not just for regulatory sake but to genuinely enhance organizational robustness and safeguard critical data.”

The promise of AI is on every biopharma’s radar, but the reality today is that much of the industry is grappling with how to convert the hype into...
IT teams urged to resolve ‘data delays’ as UK executives struggle to access and use relevant business data.

‘Playtime is over’ for GenAI

Posted 4 days ago by Phil Alsop
NTT DATA research shows organizations shifting from experiments to investments that drive performance.

GenAI not production-ready?

Posted 4 days ago by Phil Alsop
Architectural challenges are holding UK organisations back - with just 24% citing having sufficient governance to implement GenAI.

AI tops decision-makers' priorities

Posted 4 days ago by Phil Alsop
Skillsoft has released its 2024 IT Skills and Salary Report. Based on insights from more than 5,100 global IT decision-makers and professionals, the...

The state of cloud ransomware in 2024

Posted 4 days ago by Phil Alsop
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.
Talent and training partner, mthree, which supports major global tech, banking, and business clients to build job-ready teams, has revealed the...

AI innovation is powering the Net Zero transition

Posted 4 days ago by Phil Alsop
Whilst overall AI patent filings have slowed, green AI patent publications grew 35% in 2023.