News

Concerns raised over effectiveness of EU cybersecurity directive

Cybersecurity
Veeam survey finds 43 per cent of IT decision makers believe NIS2 won’t significantly improve cybersecurity.

Less than half of EMEA IT decision makers (43 per cent) believe that the Network and Information Security Directive 2022/2555 (NIS2) will significantly improve EU cybersecurity when it comes into force on 18 October.

NIS2 is a regulation aimed at strengthening cybersecurity across the EU by expanding the scope and increasing security requirements.

But according to research commissioned by Veeam Software and carried out Censuswide has found some scepticism about how effective it will be.

This is despite an overwhelming 90 per cent of respondents reporting at least one security incident that the NIS2 directive could have prevented in the past 12 months. Forty four per cent experienced more than three cyber incidents, with 65 per cent of those categorised as “highly critical”.

Added to that, although almost 80 per cent of businesses are confident in their ability to eventually comply with NIS2 guidelines, up to two-thirds said they will miss the deadline.

Achieving NIS2 compliance requires businesses to implement essential measures, such as defining incident response plans, securing supply chains, assessing vulnerabilities and evaluating overall security levels. This includes all affiliated organisations, partners and supply chains. However, several barriers to compliance persist.

Key challenges cited by IT decision-makers include technical debt (24 per cent), lack of leadership understanding (23 per cent), and insufficient budget/investments (21 per cent). Notably, 40 per cent of respondents reported decreased IT budgets since the political agreement for NIS2 became effective in January 2023, despite its stringent penalties.

The slow pace of NIS2 adoption is likely due to the multitude of competing priorities and business pressures that face these organisations. Respondents rank NIS2 less urgent than 10 other issues, including the skills gap, profitability and digital transformation. Forty two per cent of respondents who consider NIS2 insignificant for EU cybersecurity improvements attribute this to inadequate consequences of non-compliance, which has resulted in widespread apathy towards the directive. 

Additional key findings from the survey include:

●    74 per cent of respondents view NIS2 as beneficial, but 57 per cent doubt it will have any substantial impact on overall EU cybersecurity posture.

●    Sceptics cite additional concerns such as NIS2's lack of comprehensiveness (35 per cent), belief that compliance doesn’t guarantee security (34 per cent) and overlap with existing regulations (25 per cent).

●    Other barriers include a lack of focus on NIS2 compliance (20 per cent), tight timelines (19 per cent), cybersecurity skills shortage (19 per cent), directive complexity (19 per cent) and organisational silos (19 per cent).

●    Despite conflicting views, most respondents perceive NIS2 positively in the context of their organisation's regulatory obligations, feeling optimistic (33 per cent), confident (32per cent) and encouraged (27 per cent).

Andre Troskie, EMEA field CISO at Veeam, said, “NIS2 brings responsibility for cybersecurity beyond IT teams into the boardroom. While many businesses recognise the importance of this directive, the struggle to comply found in the survey highlights significant systemic issues. The combined pressures of other business priorities and IT challenges can explain the delays, but this does not lessen the urgency.

“Given the rising frequency and severity of cyberthreats, the potential benefits of NIS2 in preventing critical incidents and bolstering data resilience can't be overstated. Leadership teams must act swiftly to bridge these gaps and ensure compliance, not just for regulatory sake but to genuinely enhance organisational robustness and safeguard critical data.”

 

Posted under: