Compliance with NIS2 comes at a cost

With the EU's NIS2 directive now starting to roll out, aiming to achieve a high level of cybersecurity across member states, a new survey commissioned by Veeam shows the significant impact implementation is having on businesses.

The study, carried out by Censuswide, reveals that while 68 percent of companies report receiving the necessary additional budget for NIS2 compliance, 20 percent identify budget as being a significant barrier to achieving compliance.

Since the political agreement for NIS2 in January 2023, 40 percent of businesses have faced decreased IT budgets and 20 percent have unchanged ones. Moreover, 95 percent of organizations have diverted funds from elsewhere in the business to cover NIS2 compliance costs. Specifically, 34 percent of companies have dipped into their risk management budgets, 30 percent taken funds from wider recruitment, 29 percent from crisis management, and 25 percent from emergency reserves. This reallocation underscores further strain on these companies’ already tight financial resources.

Edwin Weijdema, field CTO EMEA at Veeam, says, "Securing adequate budget for cybersecurity is often a challenge for IT leaders, but the strict penalties and emphasis on corporate accountability from NIS2 may help ease that process. However, as most IT budgets are either being cut or remaining stagnant -- effectively shrinking due to rising business costs and inflation -- NIS2 is pulling from an already limited pool. It's particularly concerning to see funds being redirected from recruitment and emergency reserves. NIS2 shouldn’t be treated as a crisis, yet one in four businesses appears to view it that way."

The survey also looks at the main business pressures felt by IT leaders. With NIS2 ranking low on the priority list at #10, this emphasizes the extensive array of challenges faced at the senior level. The top five challenges are the skills gap (24 percent), profitability concerns (23 percent), digital transformation (23 percent), the rising cost of doing business (20 percent), and a lack of resources (20 percent). These findings reveal that resources -- both human and financial -- are the main limiting factors for IT leaders, yet NIS2 demands both.

Despite NIS2 not directly affecting UK companies, those that do business with EU entities must comply, and their responses paint a different picture. The UK is the only country surveyed to report an increase in IT budgets since January 2023, with 62 percent of UK-based IT decision-makers reporting a budget increase and just 14 percent seeing a decrease. This has enabled UK businesses to invest more heavily in improving their security posture ahead of the directive.

You can find out more on the Veeam site.

Image credit: lucadp/depositphotos.com