NIS2: Where to from here?

Edwin Weijdema at Veeam considers how businesses and regulators need to move forward, now that the NIS2 Directive is in force

 

With the NIS2 Directive now in full force, businesses across the EU face new regulatory demands that have reshaped their cyber-security obligations. The latest survey from Veeam Software revealed that two-thirds (66%) of organisations were set to miss the deadline. While NIS2 is crucial, further evolution is needed to bolster resilience against increasing cyber-threats. 

 

A crucial framework, but not a cure-all

NIS2 expands the scope of its predecessor, the NIS Directive, mandating stricter security measures for ‘essential’ and ‘important’ businesses in critical sectors such as energy, transport, and finance. While only 43% of surveyed EMEA IT decision-makers believe that NIS2 will significantly enhance EU cyber-security, it has brought several areas of improvement to the fore, helping businesses identify pain points. This includes:

 

A need for greater clarity and simplification

Over a third (35%) of respondents find NIS2 too complex and 25% find it overlaps with existing regulations like the GDPR. Future iterations should provide clearer guidance on compliance, especially for smaller enterprises, streamlining processes to encourage faster adoption.

 

A need to address the skills gap

With a shortage of cyber-security professionals cited as a barrier to compliance by 19% of respondents, initiatives to support training and upskilling are critical for the long-term success of NIS2. The good news is that over one-third (36%) of UK respondents plan to upskill existing employees, which will help tackle the growing skills gap — an issue putting almost a third (30%) of UK businesses under more pressure than any other common IT challenge.

 

A need for investment  

38% of UK-based respondents have already invested in reviewing their cyber-security processes and best practices in line with NIS2 compliance, and 34% have invested in new technologies, which are higher figures than reported by their EU-based counterparts. UK IT decision-makers also plan to continue investing in security going forward, with 30% intending to further review cyber-security processes and best practices, and 25% planning new technology investments, compared to an average of 15% and 16% across other surveyed countries. In addition, almost half (47%) of EU-based respondents reported a decrease in their IT budgets since January 2023, compared to just 14% of those in the UK, showing room for improvement across the region. 

 

An urgent call for C-suite action

With 66% of businesses predicting that they would miss NIS2’s compliance deadline, business leaders worldwide should harbour no illusions about the gravity of non-compliance and the resulting impact on their business, including revenue and overall operations. In addition, failure to comply with NIS2 could have severe personal repercussions for C-suite executives. Under the new directive, business leaders within the EU zone can now be held personally liable for breaches, including financial liability and even temporary bans from management roles. This marks a significant shift in corporate accountability and should motivate the C-suite to urgently address the critical need for data resilience.

 

Data is the lifeblood of businesses, and it is constantly under threat. Business leaders must seize the opportunity to enhance data resilience at every juncture. NIS2 provides a crucial framework to assess their current security posture and implement changes that significantly bolster data resilience. While compliance alone doesn’t guarantee complete security, it necessitates proactive measures against vulnerabilities. With threats escalating globally, business leaders must act now to secure their operations. Those who fail to do so will face significant consequences, both personally and professionally.

 

Across the channel  

Whether they do business with EU entities or not, compliance should be top of mind for UK companies who do not want to lose out on potential business opportunities as where the EU goes, the rest of the world will likely follow. Fortunately, the UK was the only country surveyed to report an increase in IT budgets since January 2023, with 62% of UK-based IT decision-makers reporting a budget increase and just 14% seeing a decrease. This has enabled UK businesses to invest in improving their security posture ahead of the directive, which is essential if they want to continue doing business with EU-based companies.

 

In the UK itself, business leaders are held liable for cyber-security under the UK NIS Regulations and laws such as the Data Protection Act 2018 (incorporating UK GDPR) and the 2022 National Cyber Strategy. These require organisations in critical sectors to implement robust cyber-security measures and report incidents. While senior management may not always be personally liable for breaches, they can be held accountable under the Companies Act 2006 for failing to ensure proper governance and compliance. In cases of negligence or failure to act, directors could face personal liability if this leads to significant harm to the business or its customers.

 

While the details of the upcoming Cyber Security and Resilience Bill are yet to be released, any moves UK businesses make now to enhance their cyber- and data-resilience will benefit them when this regulation comes into force. 

 

From compliance to resilience

Compliance with NIS2 is just the beginning. The directive is an opportunity for businesses to elevate their cyber-security posture beyond regulatory requirements and build true data resilience. The focus should not be solely on avoiding penalties, but on preventing potentially catastrophic breaches that could compromise the core of business operations.

 

Organisations that take a proactive stance now, prioritising their cyber-security measures and securing their supply chains, will not only comply with NIS2 but also future-proof their operations against the ever-evolving threat landscape. At the same time, they will meet the new accountability standards that could hold executives personally liable for cyber-security failures.

 

The NIS2 compliance deadline may have passed, but the journey to compliance is far from over for many. Organisations must act swiftly, not just to avoid penalties but to safeguard their operations and data in an increasingly volatile cyber-security environment. With the right leadership, investment and focus, businesses can transform this regulatory challenge into a strategic advantage.

 

The NIS2 Directive provides a crucial framework, but the ultimate responsibility for securing an organisation’s future lies with its leadership – those who act now will be best positioned to thrive in the digital economy.

 

---

 

Edwin Weijdema is EMEA Field CTO at Veeam

 

Main image courtesy of iStockPhoto.com and Mlenny