1 October 2024, Tue |
12:34 AM
As the enforcement date for the Network and Information Security Directive 2022/2555 (NIS2) approaches, organizations across the EU are navigating mixed emotions. NIS2, aimed at strengthening cybersecurity across the EU by expanding security requirements, is set to take effect on October 18, 2024. Despite the regulation’s importance, a new survey by Veeam Software, reveals that only 43% of IT decision-makers in EMEA believe NIS2 will significantly enhance cybersecurity across the region. This is in contrast to the 90% of respondents who reported experiencing at least one security incident in the past year that NIS2 could have prevented. Additionally, 44% of respondents experienced more than three cyber incidents, with 65% of these incidents categorized as “highly critical.”
The survey, commissioned by Veeam® and conducted by Censuswide, collected responses from over 500 IT leaders across Belgium, France, Germany, the Netherlands, and the UK. The findings reflect concerns as NIS2’s enforcement date draws closer. While 80% of businesses express confidence in their ability to eventually comply with NIS2 guidelines, up to two-thirds acknowledge they will miss the imminent October deadline. Many businesses face significant barriers to compliance, including technical debt (24%), lack of leadership understanding (23%), and insufficient budget or investments (21%). Notably, 40% of respondents have reported decreased IT budgets since the political agreement on NIS2 was reached in January 2023, despite the directive’s strict penalties, which are comparable to those under the EU’s General Data Protection Regulation (GDPR).
The slow pace of NIS2 adoption can also be attributed to competing business priorities. IT decision-makers rank NIS2 compliance as less urgent than other issues such as the ongoing skills gap, profitability, and digital transformation efforts. Additionally, 42% of respondents who do not see NIS2 as significantly improving EU cybersecurity believe that this is due to insufficient consequences for non-compliance, leading to widespread apathy toward the directive. Despite these concerns, 74% of respondents see NIS2 as beneficial, though 57% are skeptical of its overall impact on EU cybersecurity.
Additional survey findings reveal that challenges to NIS2 compliance include the directive’s complexity (19%), a lack of focus on compliance (20%), and the ongoing cybersecurity skills shortage (19%). Despite conflicting views, most respondents perceive NIS2 positively in the context of their organization’s regulatory obligations, with many expressing optimism (33%), confidence (32%), and encouragement (27%) about the directive’s potential benefits.
Andre Troskie, EMEA Field CISO at Veeam®, emphasized the importance of NIS2, stating: “NIS2 brings responsibility for cybersecurity beyond IT teams and into the boardroom. While many businesses recognize the significance of this directive, the survey highlights systemic issues slowing compliance. Given the rising frequency and severity of cyberthreats, the potential benefits of NIS2 in preventing critical incidents and improving data resilience cannot be overstated. Leadership teams must act swiftly to ensure compliance, not only to meet regulatory demands but to genuinely enhance their organization’s cybersecurity posture.”
As the October 18 enforcement date for NIS2 draws near, organizations must prioritize compliance to avoid penalties and, more importantly, to strengthen their defenses against escalating cyberthreats.
