However, a large majority assume that they can implement the directive. Less than half of companies in EMEA expect NIS2 to significantly improve cybersecurity in the EU.
A survey commissioned by Veeam has found that up to two-thirds of companies in the EMEA region will miss the upcoming October 18 deadline for implementing the NIS2 cybersecurity directive. 80 percent are confident that they will ultimately be able to implement the prescribed measures.
In contrast, according to Veeam, 90 percent of respondents reported at least one security incident in the last twelve months that could have been prevented with the measures required by the NIS2 directive. What is also alarming is that 44 percent of those surveyed experienced more than three such cyber incidents in their companies and 65 percent of these incidents were classified as “highly critical”.
However, the survey also shows considerable skepticism towards the directive. Only 43 percent of IT decision-makers in EMEA believe that NIS2 will significantly improve cybersecurity in the EU.
Survey respondents cited technical debt (24 percent), lack of leadership understanding (23 percent), and inadequate budgets/investments (21 percent) as the top challenges in implementing NIS2. What is striking, according to Veeam, is that 40 percent of those surveyed reported reduced IT budgets since the political decision to implement NIS2 in January 2023, even though the penalty is as strict as that of the EU’s General Data Protection Regulation (GDPR).
“NIS2 takes cybersecurity responsibility beyond IT teams and into the boardroom. While many organizations recognize the importance of this policy, the struggle for compliance highlighted in the survey highlights significant systemic issues,” said Andre Troskie, EMEA Field CISO at Veeam. “The combined pressures of other business priorities and IT challenges explain the delays but do not reduce the urgency. Given the increasing frequency and severity of cyber threats, the potential benefits of NIS2 in preventing critical incidents and strengthening data resiliency cannot be overstated. Leadership teams must act quickly to close these gaps and ensure compliance, not just for regulatory reasons, but to significantly improve their organization’s resilience and protect critical data.”