Approximately 160,000 organisations across 15 sectors in Europe must comply with the new NIS 2 directive by 17th October.
- The updated directive introduces stricter requirements for risk management and incident reporting.
- It encompasses a wider range of sectors and imposes more severe penalties for non-compliance.
- In a recent survey, 80% of European IT leaders believe they will meet the compliance deadline.
- However, only half of the respondents fully understand the requirements.
By 17th October, roughly 160,000 organisations spanning 15 sectors in Europe are required to comply with the new Network and Information Security Directive (NIS 2). This directive comes with more stringent requirements for risk management and incident reporting, extending its reach to a broader array of sectors, and enforcing stricter penalties for non-compliance.
The directive aims to foster a proactive approach towards cyber-security, equipping organisations with essential processes and frameworks. As technological advancements like AI accelerate the exploitation of security vulnerabilities, the threat landscape has become increasingly perilous. Consequently, many organisations are realising the limitations of their reactive cyber-security strategies.
NIS 2, effective from October 2024, mandates that management in specific categories must implement cyber-security risk management measures. This directive impacts critical physical and digital infrastructure not only within EU member states but also applies to worldwide organisations providing services to protected sectors within the EU.
The scope of affected organisations varies by sector, with a minimum requirement of 50 employees for important entities and 250 employees for essential entities. Non-compliance can result in substantial penalties—up to €10 million or 2% of total global annual turnover for essential entities, and up to €7 million or 1.4% for important entities.
In April 2024, a survey by Zscaler revealed a concerning gap between the confidence levels of European organisations and their understanding of NIS 2 compliance requirements. Despite 80% of IT leaders expressing confidence in meeting the deadline, only half believed their teams fully grasp the directive’s requirements. This disparity may lead to a last-minute rush for compliance, heightening existing cyber-security risks.
In the UK, confidence is slightly higher with 82% of IT leaders believing they will meet the compliance requirements and 15% claiming to have already achieved compliance. However, the understanding of requirements still lags behind, with only 57% of UK teams and 56% of leadership feeling fully informed.
The survey indicated that UK organisations are generally ahead in adopting new technologies, showcasing a ‘keep calm and carry on’ mentality. They seek practical ways to comply with NIS 2 without overhauling their entire security infrastructure. Conversely, some European organisations are stalling due to excessive planning, possibly delaying progress.
There is a noticeable disconnect between how NIS 2 is perceived by IT leaders and its actual intent. While it is positioned as an extension of the existing NIS framework, nearly two-thirds of respondents view it as a significant shift from their current strategy. This suggests some organisations have been maintaining minimal security standards for as long as possible.
Only 32% of continental European IT leaders rated their cyber-hygiene as excellent, compared to 45% in the UK. Similarly, the implementation of a zero-trust security architecture remains incomplete for 40% of organisations across Europe. This indicates substantial work is needed before the directive becomes local law.
Despite these challenges, many IT leaders understand that NIS 2 compliance necessitates more than just procedural changes. It calls for a foundational shift towards proactive risk management and comprehensive cyber-security vigilance. The adoption of zero-trust architectures and streamlined technology stacks are seen as critical steps towards achieving this goal.
A mindset change is imperative to elevate IT security in the digital era. Organisations must integrate their various technologies into a cohesive platform to reduce complexity and enhance security. By doing so, they can better identify and respond to threats, aligning with NIS 2’s mandates for secure data handling and incident management.
Ultimately, NIS 2 compliance demands a shift from procedural checkboxing to a proactive, holistic approach to cyber-security. This will enable organisations to navigate the evolving threat landscape and protect their digital assets effectively.
NIS 2 compliance requires a foundational shift towards proactive cyber-security to address the dynamic threat environment.