New research from cloud security firm Zscaler reports a disconnect between European company confidence in reaching NIS 2 compliance ahead of the October 17 deadline and an understanding of what achieving compliance will require.
According to Zscaler’s latest report, NIS 2 & Beyond: Risk, Reward & Regulation Readiness, which surveyed more than 875 IT leaders across six European markets, 80 per cent of IT leaders feel confident that their organisation will meet the compliance requirements before the deadline – and only 14 per cent claim to have already met them. A little over half (53 per cent) of IT leaders, however, believe their teams fully understand the demand, and even fewer (49 per cent) believe leadership does. CISOs face an immediate need to educate all relevant stakeholders, from board level to section owners and employees across the organisation, to ensure compliance ahead of the due date.
Examining the disconnect between confidence and understanding reveals some friction between how leaders are discussing NIS 2 and how they are acting upon it, the firm says. Respondents indicate that leaders recognise the growing importance of the NIS 2 regulations, with one-third (32 per cent) saying it is a top priority for their leadership and 52 per cent saying it is becoming a higher priority. This does not appear to be reflected, however, in the support offered to company IT teams shouldering the burden of the compliance process. Most IT leaders (56 per cent) feel their teams are not getting the leadership team support they need to meet the compliance deadline.
Brian Marvin, Senior Vice President of EMEA Enterprise Sales at Zscaler, says: “While there appears to be a quiet confidence across the region that businesses will reach NIS 2 compliance by the rapidly approaching deadline, our research suggests this confidence could be built on shaky foundations. If they are not careful, many businesses may find themselves rushing to the finish line and neglecting other cybersecurity processes as a result – something 60 per cent of IT leaders admitted is possible. Leadership needs to act now and give their IT teams the necessary support to avoid missing key steps in their compliance journey and risking serious financial consequences.”
Although the NIS 2 directive builds upon the existing NIS framework, 62 per cent of respondents believe it is a significant departure from what they currently use. To become compliant, IT leaders are having to make the most significant changes in the areas of their tech stack/cybersecurity solutions (34 per cent), educating employees (20 per cent), and educating leadership (17 per cent). When asked about the top three challenging sections of the directive, respondents pointed most often to:
security in network and information systems acquisition, development, and maintenance (31 per cent), basic cyber hygiene practices and cybersecurity training (30 per cent) and policies and procedures around effective cybersecurity risk management measures (29 per cent).
While the NIS 2 directive is positioned as incorporating foundational level cybersecurity requirements, the report suggests many businesses across Europe are not as far along with their cybersecurity standards as they should be.
Only 31 per cent of respondents would label their current cyber hygiene as ‘excellent’. When looking at the survey from an industry perspective, the transport and energy sectors had a far lower level of cyber hygiene excellence, with only 14 per cent of IT leaders in transport companies, and 21 per cent in energy companies, claiming to have achieved this. These figures suggest that too few businesses in some critical infrastructure sectors have been keeping up with security reviews over the past few years, which could pose issues during their NIS 2 compliance checks this year.
James Tucker, Head of CISO at Zscaler, says: “Regulations by themselves will never be the answer to first-class cybersecurity hygiene – particularly given the scale of the cybersecurity challenge. In fact, 53 per cent of our respondents said the NIS 2 regulations don’t go far enough considering what businesses are facing. Rather than a problem to solve, regulations should be viewed as an opportunity to raise foundational security up a rung. Regulations need to become part of an organisation’s ongoing process reviews instead of a separate activity for IT teams to address. Businesses should be using this opportunity to review the scale of their technology stacks as well as find ways to simplify and track their hardware and software through one platform to avoid complexity in their organisational environment.”
The NIS 2 directive emphasises the responsibility of organisations to ensure network and information system security with a culture of governance and comprehensive risk management Zscaler writes. “They must adopt proactive technical, operational, and organisational measures to manage the risks posed to the security of network and information systems.”
The NIS 2 directive is a legislative act that aims to achieve a high common level of cybersecurity across the European Union. Member states must ensure that entities across 15 industry segments take appropriate measures to manage the risks posed to the security of network and information systems, and to prevent or minimise the impact of incidents on recipients of their services and on other services.
