While IT people have managed to secure enough budget to meet the NIS2 directive, the impact on other areas could be significant, according to a survey for a software firm.
Some 68 per cent of companies surveyed by Censuswide, for Veeam Software, report receiving the necessary extra budget for NIS2 compliance. Some 20 per cent identified budget as being a significant barrier to achieving compliance. Since the political agreement for NIS2 in January 2023, 40pc of businesses have faced decreased IT budgets and 20pc have unchanged financials. Near all, 95pc of organisations have diverted funds from elsewhere in the business to cover NIS2 compliance costs. More specifically, 34pc of companies dipped into their risk management budgets, 30pc from wider recruitment, 29pc from crisis management, and 25pc from emergency reserves, the survsy suggest.
Edwin Weijdema, Field CTO EMEA at Veeam, said: “Securing adequate budget for cybersecurity is often a challenge for IT leaders, but the strict penalties and emphasis on corporate accountability from NIS2 may help ease that process. However, as most IT budgets are either being cut or remaining stagnant — effectively shrinking due to rising business costs and inflation — NIS2 is pulling from an already limited pool. It’s particularly concerning to see funds being redirected from recruitment and emergency reserves. NIS2 shouldn’t be treated as a crisis, yet one in four businesses appears to view it that way.”
Irish regret
‘Unfortunately’, to use the word of the National Cyber Security Centre of Ireland, the Republic of Ireland’s equivalent of the UK’s official NCSC, the Republic will not meet the deadline for NIS2. The NIS2 Directive is the European Union-wide legislation on cybersecurity which updates the 2016 NIS Directive, which the UK is part of. The UK is due to pass its own law as an update to NIS. Covered are such sectors as energy, transport, water, banking, healthcare and digital infrastructure. For financial market infrastructures, another EU law, the Digital Operational Resilience Act (DORA) will take priority. For a ‘quick reference guide’, visit the Irish NCSC website.
Background
The 41,000 words of the NIS2 directive set ‘measures for a high common level of cybersecurity’ across the European Union, including strategy, CSIRTs (computer security incident response teams), reporting obligations, risk assessment of critical supply chains, certification schemes, and penalties for non-compliance. Some of the ‘critical sectors’ that newly fall under NIS2 are postal and courier services, food production and distribution, and waste management. Depending on the sector and the size of business, a firm may be deemed ‘essential’; or ‘important’; under either definition, you have obligations under NIS2, but the supervision is different. In the Republic of Ireland, for instance, you’ll have to submit to them your name, address and contact details. All ‘significant’ cyber incidents in the Republic will have to be reported to the Irish NCSC, within 24 hours.
Comments
Keith Fenner, SVP and GM International at Diligent, a governance, risk and compliance (GRC) software firm, said that UK businesses should be set up to comply with the new stricter rules. “This latest directive will provide greater harmonisation across Europe for cybersecurity practices and bolster international cooperation when it comes to incident reporting. It will decrease the risks associated with cyber activity and disruption to businesses, societies and economies more widely.
“Businesses will face reputational and financial consequences for non-compliance, but there is also an opportunity for them to bolster cyber resilience, using the recommended minimum levels of performance as a springboard to implement strong measures to shore up defences and address future risks. Ultimately, NIS2 will create more resilient organisations that are poised for long-term success. What’s more, the Digital Operations Resilience Act (DORA) is due to take effect in January, so this certainly isn’t the last we’ll see of changes to cybersecurity regulation in the coming months.”
The firm recently launched Artificial Intelligence (AI) Act Toolkits, designed to help corporate secretaries, legal and compliance teams, chief technology officers, chief information security officers and audit teams navigate AI governance and AI regulatory compliance.
David Higgins, Senior Director, Field Technology Office at CyberArk said: “Put simply, NIS2 means all defined critical organisations need to identify, assess and address their exposure to the risk of a cyberattack – what’s known as their ‘risk profile’. Article 21 in particular mandates that they put robust cybersecurity measures in to secure their supply chains and enforce Zero Trust access, among a host of security policies companies they will need to implement and report on.
“Identity security is going to take centre stage from a compliance point of view here, as it involves constantly checking and authorising both internal and external users, following Zero Trust principles. This is especially important since organisations have to protect a huge network of threats under NIS2, including subcontractors and service providers. Companies also need to tick off important NIS2 Article 21 requirements related to handling and reporting incidents. Having a solid Identity Security strategy is important here, to not only protect vital infrastructure against those inevitable future attacks, but also to track and manage the handling of critical information in real-time.”
Bart Salaets, Field CTO EMEA at the cyber firm F5 said: “With the regulation broadening its scope, more organisations — particularly those that may not have previously prioritised cybersecurity — will now need to comply. It’s important to note that businesses will be penalised if attacks are not reported.
“One of the biggest challenges of an intensified regulatory spotlight on security is the added complexity of both securing and monitoring digital infrastructures that increasingly span multiple clouds and in-house data centres. To navigate the legislation, organisations should create centralised visibility and unified reporting across security platforms. The need for integrated solutions and sophisticated reporting tools— potentially AI-driven— will be essential in helping organisations meet their reporting obligations under NIS2.”
As of October 17, EU member states are required to turn the NIS2 directive into enforceable legal obligations for businesses, said Patrick Scholl, Head of OT at Infinigate. Companies impacted should start the implementation process sooner rather than later, as achieving NIS2 compliance may demand considerable time and effort, particularly with organisations being at different stages of cybersecurity readiness, he added. “In terms of practical steps, organisations must first determine whether they fall under the categories of “essential” or “important” entities, as this will dictate the stringency of the measures they need to adopt. Secondly, companies can seek technologies and processes to ensure NIS2 compliance, including performing audits, asset discovery, and risk assessments. This also encompasses reporting services, such as setting up procedures for incident reporting and training personnel to notify the relevant authorities within the specified time.”
