Veeam survey uncovers apathy toward EU’s NIS2 security directive

A Veeam survey reveals that only 43 percent of EMEA IT decision-makers believe NIS2 will significantly enhance EU cybersecurity, yet 90 percent of respondents reported at least one security incident that the directive could have prevented in the past 12 months.

Some 44 percent of respondents experienced more than three cyber incidents, with 65 percent categorized as “highly critical.”

Andre Troskie, Veeam
Andre Troskie

Andre Troskie, EMEA Field CISO at Veeam, stated: “NIS2 brings responsibility for cybersecurity beyond IT teams into the boardroom. While many businesses recognize the importance of this directive, the struggle to comply found in the survey highlights significant systemic issues.”

The EU cybersecurity NIS2 (Network and Information Security 2) directive updates the 2016 NIS directive, which aimed to improve the cyber-resilience of critical infrastructure and services across the European Union. Operators of such services had to set up risk management practices and report significant incidents. EU member states had to set up national cybersecurity strategies and Computer Security Incident Response Teams (CSIRTs), and there was an EU-wide Cooperation Group to encourage cybersecurity information  sharing.

NIS2, which takes effect on October 18, broadens the scope of NIS, has stricter security requirements, faster incident reporting, a focus on supply chain security, harsher penalties for non-compliant organizations, harmonized rules across the EU, and better member state information sharing.

It represents an additional cost for businesses and other organizations. French digital services company Wallix states: ”Compliance with Directive NIS2 is non-negotiable and has significant financial implications for companies. According to the impact assessment associated with the directive, it is expected that companies will increase their spending on computer security by up to 22 percent in the first years following its implementation.”

Economics consultancy Frontier Economics assessed the NIS2 costs and its report states: “The direct costs of implementing the regulation on firms across the EU is €31.2 billion per year representing 0.31 percent of total turnover across all of the sectors that are affected by the NIS2 Directive … This represents a large increase in costs given that the EC estimated that average ICT security spending as a percentage of turnover was 0.52 percent in 2020.” 

It provided a chart of likely costs per affected economic sector:

Wallix suggests: “Although this increase in spending may seem substantial, it is expected to be offset by a significant reduction in costs associated with cybersecurity incidents.”

Veeam Software commissioned the survey from Censuswide, which gathered the views of more than 500 IT decision-makers from Belgium, France, Germany, the Netherlands, and the UK. The UK was included due to its significant business ties with EU countries. Nearly 80 percent of businesses are confident in their ability to eventually comply with NIS2 guidelines, but up to two-thirds state they will miss this deadline.

The main reasons cited were technical debt (24 percent), lack of leadership understanding (23 percent), and insufficient budget/investments (21 percent). The survey found that 42 percent of respondents who consider NIS2 insignificant for EU cybersecurity improvements attribute this to inadequate consequences of non-compliance. That’s led “to widespread apathy towards the directive.”

Troskie said: “The combined pressures of other business priorities and IT challenges can explain the delays, but this does not lessen the urgency. Given the rising frequency and severity of cyberthreats, the potential benefits of NIS2 in preventing critical incidents and bolstering data resilience can’t be overstated. Leadership teams must act swiftly to bridge these gaps and ensure compliance, not just for regulatory sake but to genuinely enhance organizational robustness and safeguard critical data.”

Veeam provides an NIS2 compliance checklist, assessment, and white paper.