The European Union (EU) Network and Information Security Directive 2022/2555
(NIS2)
which aims to strengthen cybersecurity, goes into effect on October 18
with administrative fines of up to EUR10 million or 2% of total annual
worldwide turnover for those who fail to comply. A new survey from
Censuswide, commissioned by
Veeam Software,
the #1 market leader by market share in Data Resilience, revealed that
only 43% of EMEA IT decision-makers believe NIS2 will significantly
enhance EU cybersecurity. This is despite an overwhelming 90% of
respondents reporting at least one security incident that the NIS2
directive could have prevented in the past 12 months. Alarmingly, 44% of
respondents experienced more than three cyber incidents, with 65% of
those categorized as "highly critical."
The survey results, which encompass the views of 500+ IT decision-makers
from Belgium, France, Germany, the Netherlands, and the UK, revealed
the state of play less than a month before this directive takes effect
on Oct. 18. Although nearly 80% of businesses are confident in their
ability to eventually comply with NIS2 guidelines, up to two-thirds
state they will miss this imminent deadline.
"Tackling the growing volume and complexity of cyber threats will take a
coordinated approach across government, industry, and business. The
NIS2 directive will both help to prevent critical incidents and raise
the importance of good preparation to the boardroom. NIS2 will also set
the new standard baseline of compliance for all enterprises around the
world as we continue to battle this era of continuous cyber threats with
data resilience in order to keep businesses running and secure," said
Anand Eswaran, CEO at Veeam.
"While recognizing the importance of this directive, pressures of other
business priorities along with IT challenges is hampering organizations'
ability to meet the October 18 deadline. Leaders in Europe will need to
act swiftly to bridge these gaps and ensure compliance, not just for
regulatory sake but to genuinely enhance organizational robustness and
safeguard critical data," Eswaran continued.
Barriers to NIS2 Compliance
Achieving NIS2 compliance requires businesses to implement essential
measures, such as defining incident response plans, securing supply
chains, assessing vulnerabilities, and evaluating overall security
levels. This includes all affiliated organizations, partners, and supply
chains. However, several barriers to compliance persist. Key challenges
cited by IT decision-makers include technical debt (24%), lack of
leadership understanding (23%), and insufficient budget/investments
(21%). Notably, 40% of respondents reported decreased IT budgets since
the political agreement for NIS2 was proclaimed effective in January
2023, despite its stringent penalties, which are comparable to those of
the EU's flagship data privacy legislation, the General Data Protection
Regulation (GDPR). 63% of respondents view the GDPR as strict, and 62%
express the same sentiment about NIS2.
Competitive Pressures Amid Cyberthreats
The slow pace of NIS2 adoption is likely due to the multitude of
competing priorities and business pressures that face these
organizations. Respondents rank NIS2 lower in urgency than ten other
issues, including the skills gap, profitability, and digital
transformation. Worryingly, 42% of respondents who consider NIS2
insignificant for EU cybersecurity improvements attribute this to
inadequate consequences of non-compliance, which has led to widespread
apathy towards the directive.
Additional key findings from the survey include:
-
74% of respondents see NIS2 as beneficial, but 57% doubt it will have
any substantial impact on overall EU cybersecurity posture.
-
Sceptics cite additional concerns such as NIS2's lack of
comprehensiveness (35%), belief that compliance doesn't guarantee
security (34%), and overlap with existing regulations (25%).
-
Other barriers include a lack of focus on NIS2 compliance (20%), tight
timelines (19%), cybersecurity skills shortage (19%), directive
complexity (19%), and organizational silos (19%).
-
Despite conflicting views, most respondents perceive NIS2 positively in
the context of their organization's regulatory obligations, feeling
optimistic (33%), confident (32%), and encouraged (27%).