NIS2 Compliance Strains EMEA Budgets and Skills

As the implementation of the NIS2 directive unfolds across the EU, a recent Censuswide survey commissioned by Veeam® Software highlights its significant impact on businesses adapting to this critical cybersecurity regulation. Veeam, recognized as the global leader in Data Resilience by market share, found that while many IT leaders express confidence in meeting NIS2 compliance, the directive has exacerbated existing challenges such as resource limitations and skills shortages. The survey indicates that skills gaps are the primary pressure point for organizations in the EMEA region, with 30% reporting that they have tapped into recruitment budgets to support NIS2 compliance efforts.

Budget Challenges Amid NIS2 Compliance

The survey reveals that while IT leaders have managed to secure sufficient budgets for NIS2 compliance, the implications for other operational areas could be substantial. A notable 68% of companies report acquiring the necessary additional funding for NIS2, yet 20% cite budget constraints as a significant barrier to achieving compliance. Since the political agreement for NIS2 in January 2023, 40% of businesses have encountered reduced IT budgets, and 20% have experienced no changes in their financial situation. Alarmingly, 95% of organizations have redirected funds from other business areas to cover NIS2 compliance costs. Specifically, 34% of companies have pulled from risk management budgets, 30% from general recruitment, 29% from crisis management, and 25% from emergency reserves, highlighting the strain on their already tight financial resources.

Edwin Weijdema, Field CTO EMEA at Veeam, noted, “While securing adequate budget for cybersecurity is a common challenge for IT leaders, the strict penalties and corporate accountability emphasized by NIS2 may facilitate this process. However, with most IT budgets facing cuts or stagnation due to rising costs and inflation, NIS2 is drawing from an already limited pool. It’s concerning to see funds redirected from recruitment and emergency reserves. NIS2 shouldn’t be perceived as a crisis, yet one in four businesses seem to view it that way.”

Increasing Pressures for IT Leaders

The survey also sheds light on the principal business pressures confronting IT leaders. NIS2 ranks low on the priority list at #10, underscoring the vast array of challenges faced by senior executives. The top challenges identified include the skills gap (24%), profitability concerns (23%), digital transformation (23%), rising operational costs (20%), and a lack of resources (20%). These findings indicate that both human and financial resources are the main limiting factors for IT leaders, yet NIS2 demands significant investments in both areas.

To comply with NIS2, companies are taking several measures, including conducting IT audits (29%), reviewing cybersecurity processes and best practices (29%), developing new policies and procedures (28%), investing in new technology (28%), and increasing budget allocations for cybersecurity (28%). The primary enablers of NIS2 compliance are new technology solutions (27%), IT audits (25%), and enhanced internal organizational skills (25%), all of which require substantial budget and expertise.

Security and Compliance Dominate EMEA IT Budgets

Despite the overall reductions in IT budgets over the past two years, additional funding has still been allocated for NIS2 compliance—either from IT budgets or other business areas. This trend explains why 80% of EMEA IT budgets are now dedicated to cybersecurity and compliance for companies required to comply with NIS2, leaving minimal resources to address other pressing challenges, such as the skills gap and digital transformation.

“Maintaining security and compliance is crucial for any organization, but the current allocation of most IT budgets to these areas highlights the lack of preparedness and resources. IT leaders must find ways to meet NIS2 requirements swiftly, even with limited budgets. Those adopting a holistic approach to security and best practices prior to legislative mandates will likely face less pressure and be better equipped to tackle other key priorities,” said Andre Troskie, Field CISO EMEA at Veeam.

UK Leads in NIS2 Investment and Confidence

While NIS2 does not directly impact UK companies, those engaging with EU entities must comply, and their responses reveal a more positive outlook. The UK stands out as the only country surveyed to report an increase in IT budgets since January 2023, with 62% of UK IT decision-makers noting budget growth and only 14% experiencing a decrease. This trend enables UK businesses to invest more significantly in enhancing their security posture ahead of the directive.

Notably, 38% of UK respondents have already invested in reviewing cybersecurity processes and best practices, and 34% have allocated funds for new technologies—figures surpassing those of their EU counterparts. UK IT leaders plan to sustain significant investments, with 30% intending to further enhance cybersecurity processes and 25% planning new technology investments, compared to averages of 15% and 16% in other surveyed countries.

Dan Middleton, Regional Vice President of the United Kingdom & Ireland at Veeam, commented, “Given their readiness to invest and improve, it’s no surprise that 90% of UK IT decision-makers feel confident in their ability to comply with regulatory requirements—the highest confidence in EMEA. This is encouraging ahead of the upcoming Cyber Security and Resilience Bill. Although the specifics are still pending, any proactive measures UK businesses take now to enhance their cyber and data resilience will benefit them when this regulation comes into effect, including plans by over one-third (36%) of UK respondents to invest in upskilling existing employees to address the growing skills gap, which is causing significant pressure for 30% of UK businesses.”