NIS2 could prevent cybersecurity incidents, but many companies are unprepared

The EU's latest Network and Information Security Directive (NIS2) comes into force on October 18th. However, new research has found that while almost 80 percent of companies are confident that they will ultimately be able to comply with NIS2 guidelines, up to two-thirds say they will not comply with the guidelines by this upcoming deadline.

Veeam Software's survey of over 500 IT decision makers from Belgium, France, Germany, the Netherlands and the United Kingdom shows that 90 percent of respondents report at least one security incident that the NIS2 policy could have prevented in the last 12 months.

Even more worrying, 44 percent of respondents experienced more than three cyber incidents, with 65 percent of those classified as “very critical.”

To achieve NIS2 compliance, companies must implement essential measures such as: E.g., defining incident response plans, securing supply chains, assessing vulnerabilities, and assessing overall security levels. This includes all affiliated organizations, partners and supply chains. However, several barriers to compliance remain.

Top challenges cited by IT decision makers include technical debt (24 percent), lack of leadership understanding (23 percent), and inadequate budgets/investments (21 percent). Notably, 40 percent of respondents report decreased IT budgets since the political agreement for NIS2 was declared effective in January 2023, despite the strict penalties comparable to those of the EU's main data protection legislation, the General Data Protection Regulation (GDPR). , are comparable. 63 percent of respondents believe the GDPR is strict, and 62 percent express the same opinion about NIS2.

Andre Troskie, EMEA Field CISO at Veeam, said: “NIS2 takes cybersecurity responsibility beyond IT teams and into the boardroom. While many companies recognize the importance of this policy, the struggle for compliance identified in the survey highlights significant systemic problems. The combined pressures.” Other business priorities and IT challenges may explain the delays, but this does not reduce the urgency. Given the increasing frequency and severity of cyber threats, the potential benefits of NIS2 in preventing critical incidents and strengthening data resilience cannot be overstated. We must act quickly to close these gaps and ensure compliance, and not only for regulatory reasons, but also to really improve organizational robustness and protect critical data.”

The slow pace of NIS2 adoption is partly due to companies having other priorities. Respondents rate NIS2 as less pressing than other issues, including skills gaps, profitability and digital transformation. The 42 percent of respondents who believe NIS2 is insignificant to improvements in cybersecurity in the EU attribute this to inadequate consequences for non-compliance, which has led to widespread apathy towards the directive.

A summary of the results can be found in the infographic below.