The NIS2 Directive and deadline, set to take effect on October 18, 2024, represents a major evolution in the European Union’s cybersecurity framework, extending its regulatory reach to a broader range of sectors and imposing stricter cybersecurity preparedness and response requirements. Veeam Software’s recent survey, conducted by Censuswide, reveals the extent to which organizations across the EU struggle to meet the impending compliance deadline, with significant implications for businesses that fail to adhere to the new rules.
What is NIS2 and Who Does it Affect?
The NIS2 Directive, a successor to the original Network and Information Security Directive (NIS), is designed to enhance the overall cybersecurity resilience of the EU. It broadens the original directive’s scope by including “essential” sectors such as energy, finance, and healthcare, but also “important” sectors like public administration, digital infrastructure, and manufacturing. This broader coverage means that more entities will now be subjected to regulatory oversight, requiring them to meet heightened standards for risk management, incident response, and business continuity.
The directive distinguishes between “essential” and “important” entities. Essential entities include critical infrastructure like transport, banking, and healthcare, while important entities encompass sectors that, though not foundational, are vital to the EU’s economic and social framework. Compliance requirements are more stringent for essential entities, with strict penalties for non-compliance, including fines of up to €10 million or 2% of worldwide annual turnover, whichever is higher. Important entities face slightly less severe penalties, but the need for compliance remains significant.
Our further takeaways on the NIS2 Deadline from the Veeam survey follows; you can get the whole report here.
Struggles with Compliance
According to Veeam’s survey, which involved more than 500 IT decision-makers across Belgium, France, Germany, the Netherlands, and the UK, many organizations face significant challenges in preparing for the NIS2 Deadline. The findings reveal that approximately 80% of businesses are confident in their ability to comply with the directive eventually, but 66% admit they will miss the upcoming compliance deadline. Despite nearly universal recognition of the importance of cybersecurity—90% of respondents experienced a cybersecurity incident in the past 12 months that could have been prevented by adhering to NIS2—only 43% believe that NIS2 will significantly enhance EU cybersecurity.
One of the key barriers to compliance is technical debt, cited by 24% of respondents as a major obstacle. This refers to outdated systems and technologies that must be upgraded or replaced to meet the new standards. Another significant barrier is the lack of leadership understanding, highlighted by 23% of those surveyed, which points to a gap in the prioritization of cybersecurity at the executive level. Budget constraints are also a concern, with 21% reporting insufficient investments to support compliance efforts.
Interestingly, 40% of respondents indicated that their IT budgets have decreased since NIS2 was announced in January 2023, despite the directive’s stringent penalties for non-compliance. This decrease in budget allocation suggests a misalignment between the perceived importance of cybersecurity and the resources provided to achieve compliance.
Competitive Pressures and Apathy Toward NIS2
The slow pace of NIS2 adoption can be attributed to the multitude of competing business priorities organizations face. Many respondents ranked NIS2 compliance lower in urgency than pressing issues such as closing the skills gap, maintaining profitability, and driving digital transformation. Moreover, 42% of those who consider NIS2 insignificant to improving EU cybersecurity believe this due to what they perceive as insufficient consequences for non-compliance, leading to a general apathy toward the directive.
Despite this, a majority of respondents view the NIS2 deadline positively for their organizations, with 74% agreeing that it will be beneficial. However, skepticism remains, with 57% doubting its potential to impact the overall cybersecurity landscape in the EU substantially. Concerns include the directive’s lack of comprehensiveness (35%), doubts that compliance guarantees security (34%), and overlap with existing regulations (25%).
Barriers and Challenges to Implementation
Achieving compliance with NIS2 involves meeting various requirements that aim to elevate cybersecurity standards across sectors. These include defining incident response plans, securing supply chains, assessing vulnerabilities, and implementing business continuity strategies. The survey highlighted several challenges that organizations face in implementing these measures, such as:
- Lack of Focus on NIS2 Compliance: With 20% of respondents citing a lack of focus on compliance as a barrier, it’s evident that many organizations struggle to prioritize the directive amidst other business demands.
- Tight Timelines and Skills Shortages: Nineteen percent of respondents pointed to tight timelines and a shortage of cybersecurity skills as significant obstacles. Given the directive’s complexity, these challenges could hinder businesses’ ability to meet the upcoming deadline effectively.
- Organizational Silos: The existence of organizational silos, cited by 19% of respondents, complicates the process of implementing NIS2 requirements, as effective cybersecurity often requires coordination across multiple departments and functions.
The Path Forward: Recommendations for Compliance
To navigate the challenges presented by NIS2, Veeam emphasizes the importance of taking proactive steps to ensure compliance. This includes thoroughly understanding the directive, determining whether an organization is classified as “essential” or “important,” and developing an action plan to meet the specific requirements. Key steps for achieving compliance include:
- Conducting a Review and Audit: Organizations should audit their current cybersecurity posture against the ten minimum measures outlined in NIS2 to identify areas for improvement.
- Gaining Leadership Buy-in: Cybersecurity cannot be the responsibility of IT and compliance teams alone. It requires support and involvement from all levels of the organization, particularly leadership, to ensure adequate resources and attention are dedicated to compliance.
- Implementing Organizational Training: Continuous training is necessary to maintain awareness of cybersecurity responsibilities and keep up with evolving threats. This should not be a one-time initiative but an ongoing effort.
Conclusion
The NIS2 Directive represents a significant step forward in the EU’s efforts to strengthen cybersecurity across member states. However, the challenges highlighted in Veeam’s survey indicate that many organizations are not ready to meet the NIS2 Deadline requirements. With the deadline rapidly approaching, businesses must act swiftly to bridge the gaps in their cybersecurity posture, not only to avoid penalties but to genuinely enhance their resilience against the growing threat landscape.
The message for organizations across the EU is clear: preparation for NIS2 is non-negotiable, and the time to act is now. As the regulatory environment becomes more stringent, those who fail to comply risk financial penalties, the potential loss of customer trust, and reputational damage. By taking proactive steps to understand the directive and implementing the necessary measures, businesses can meet compliance requirements and position themselves as leaders in cybersecurity resilience.
Other News: LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort.