NIS2 could prevent cybersecurity incidents but many businesses aren't ready
The EU's latest Network and Information Security Directive (NIS2) comes into effect on October 18, but new research finds that although nearly 80 percent of businesses are confident in their ability to eventually comply with NIS2 guidelines, up to two-thirds say they will miss this imminent deadline.
The survey from Veeam Software, of over 500 IT decision-makers from Belgium, France, Germany, the Netherlands and the UK, shows 90 percent of respondents reporting at least one security incident that the NIS2 directive could have prevented in the past 12 months.
More worrying is that 44 percent of respondents experienced more than three cyber incidents, with 65 percent of those categorized as 'highly critical'.
Achieving NIS2 compliance requires businesses to implement essential measures, such as defining incident response plans, securing supply chains, assessing vulnerabilities, and evaluating overall security levels. This includes all affiliated organizations, partners, and supply chains. However, several barriers to compliance persist.
Key challenges cited by IT decision-makers include technical debt (24 percent), lack of leadership understanding (23 percent), and insufficient budget/investments (21 percent). Notably, 40 percent of respondents report decreased IT budgets since the political agreement for NIS2 was proclaimed effective in January 2023, despite its stringent penalties, which are comparable to those of the EU's flagship data privacy legislation, the General Data Protection Regulation (GDPR). 63 percent of respondents view the GDPR as strict, and 62 percent express the same sentiment about NIS2.
Andre Troskie, EMEA field CISO at Veeam, says, "NIS2 brings responsibility for cybersecurity beyond IT teams into the boardroom. While many businesses recognize the importance of this directive, the struggle to comply found in the survey highlights significant systemic issues. The combined pressures of other business priorities and IT challenges can explain the delays, but this does not lessen the urgency. Given the rising frequency and severity of cyberthreats, the potential benefits of NIS2 in preventing critical incidents and bolstering data resilience can't be overstated. Leadership teams must act swiftly to bridge these gaps and ensure compliance, not just for regulatory sake but to genuinely enhance organizational robustness and safeguard critical data."
The slow pace of NIS2 adoption is partly down to firms having other priorities. Respondents rank NIS2 lower in urgency than other issues, including the skills gap, profitability, and digital transformation. The 42 percent of respondents who consider NIS2 insignificant for EU cybersecurity improvements put this down to inadequate consequences of non-compliance, which has led to widespread apathy towards the directive.
There's a summary of the findings in the infographic below.
Image credit: IgorVetushko/depositphotos.com