close
close

Veeam survey shows 90% of EMEA organizations have faced cybersecurity incidents that NIS2 could have prevented – Intelligent CISO

Approximately 80% of organizations are confident of complying with NIS2, but 66% will miss the compliance deadline.

Andre Troskie, EMEA Field CISO at Veeam

Companies are navigating a landscape of mixed emotions as the effective date of the Network and Information Security Directive 2022/2555 (NIS2) approaches.

NIS2, a regulation to strengthen cybersecurity across the EU by expanding the scope and tightening security requirements, comes into force.

Veeam Software commissioned a new survey from Censuswide that shows only 43% of IT decision makers in EMEA believe NIS2 will significantly improve cybersecurity in the EU.

This is despite the fact that an overwhelming 90% of respondents reported at least one security incident in the last 12 months that the NIS2 policy could have prevented. Worryingly, 44% of respondents experienced more than three cyber incidents, with 65% of these classified as “very critical”.

The survey results, which include the views of more than 500 IT decision-makers from Belgium, France, Germany, the Netherlands and the United Kingdom, showed the state of play less than a month before this directive comes into force on October 18th. However, almost 80% of companies are confident that they will ultimately be able to comply with NIS2 guidelines, with up to two thirds saying they will miss this upcoming deadline.

Barriers to NIS2 compliance

To achieve NIS2 compliance, companies must implement essential measures such as: E.g., defining incident response plans, securing supply chains, assessing vulnerabilities, and assessing overall security levels.

This includes all affiliated organizations, partners and supply chains. However, several barriers to compliance remain. Top challenges cited by IT decision makers include technical debt (24%), lack of leadership insight (23%) and inadequate budgets/investments (21%).

Notably, 40% of respondents reported decreased IT budgets since the political agreement for NIS2 was declared effective in January 2023, despite strict penalties comparable to those of the EU's main data protection legislation, the General Data Protection Regulation (GDPR). , are comparable. 63% of respondents think the GDPR is strict, and 62% express the same opinion about NIS2.

Competitive pressures amid cyber threats


The slow pace of NIS2 adoption is likely due to the variety of competing priorities and business constraints these organizations face. Respondents ranked NIS2 lower in urgency than ten other issues, including skills gaps, profitability and digital transformation. Worryingly, 42% of respondents who consider NIS2 insignificant to improvements in cybersecurity in the EU attribute this to insufficient consequences for non-compliance, which has led to widespread apathy towards the directive.

Other key findings from the survey include:

  • 74% of respondents see NIS2 as beneficial, but 57% doubt that it will have a significant impact on the EU's overall cybersecurity posture.
  • Skeptics cite other concerns such as the lack of completeness of NIS2 (35%), the belief that compliance is not a guarantee of security (34%) and overlap with existing regulations (25%).
  • Other barriers include a lack of focus on NIS2 compliance (20%), tight timelines (19%), a shortage of cybersecurity talent (19%), policy complexity (19%) and organizational silos (19%). .
  • Despite conflicting views, most respondents perceive NIS2 positively in the context of their organization's regulatory obligations and feel optimistic (33%), confident (32%) and encouraged (27%).

Andre Troskie, EMEA Field CISO at Veeam, said: “NIS2 takes cybersecurity responsibility beyond IT teams and into the boardroom. While many companies recognize the importance of this policy, the struggle to comply with it identified in the survey highlights significant systemic problems. The combined pressures of other business priorities and IT challenges may explain the delays, but that does not reduce the urgency.

“With the increasing frequency and severity of cyber threats, the potential benefits of NIS2 in preventing critical incidents and strengthening data resiliency cannot be overstated. Leadership teams must act quickly to close these gaps and ensure compliance, not only for regulatory reasons, but also to truly improve organizational resilience and protect critical data.”

Click below to share this article