Is Europe Facing a NIS2 Compliance Nightmare? 

Insight-sponsored research reveals 75% of European IT decision makers still unsure of NIS2 compliance requirements for their organisations.

London, England, Nov. 12, 2024 - A recent IDC InfoBrief*, sponsored by Insight Enterprises (NASDAQ:NSIT), has unveiled alarming delays across Europe in meeting the stringent cybersecurity regulations mandated by the NIS2 Directive. The findings reveal that numerous organisations are grappling with significant internal obstacles that are critically impeding their compliance efforts. Alarmingly, the survey highlights a pervasive lack of awareness regarding the essential steps needed to achieve full NIS2 compliance, adding layers of complexity to an already daunting regulatory landscape.

Lack of company awareness or knowledge of the directive demands

What should be concerning organisations are the financial penalties and personal liabilities executives are facing for NIS2 noncompliance. These include fines of up to 10M EUR or 2 percent of global revenue, and removal of Executives rights to hold managerial positions**.

Surveying IT managers and decision makers across Europe shortly before the October 17 deadline, the survey found a general lack of awareness of all the implications of the directive and how it would affect companies’ day-to-day operations across European organisations. Key findings showed that:

· Three out of four European organisations surveyed did not have full awareness and detailed knowledge of the NIS2 Directive.

Whilst not every organisational layer requires detailed knowledge of NIS2 implementation, the individuals surveyed were mostly IT (security) managers and directors in companies sized 59-999 employees, who might be expected to drive or oversee NIS2 compliance within their organisation.

Intercompany misalignment between C-Suite and IT/tech managerial level

The survey also has highlighted an irregularity in company communication and alignment, as results show a discrepancy between the CEOs’ perceptions of their companies’ readiness and their own IT teams’ opinions. While the C-Suite considers compliance a high priority, this belief is not shared by IT managers, many of whom believe that organisations are not taking compliance seriously enough. The survey found that:

· 46% of European CEOs see improving risk management posture as the No. 1 priority … yet 42% of IT and security managers state that their boards (C-Suite) are not engaged in NIS2 compliance.

When asked about the reasons for C-Suite disengagement on NIS2 compliance, findings show that:

· The board only focuses on business/growth; compliance is a low priority (43%)

· The board has low understanding of cybersecurity risk and how it relates to the business (33%)

· The board is unable to understand technical considerations (30%)

· The board has low awareness of cybersecurity risk (28%)

Lack of in-house expertise to execute compliance tasks

A further business deficit highlighted by the survey’s findings is one of organisational staffing. When asked about issues that are hampering their organisation’s ability to comply with the directive, those surveyed referenced “human factors such as lack of sufficient technical staff” as a top-three challenge. In fact, results showed that:

· 57% reported that their compliance workload is overwhelming their in-house teams

· 52% admitted that they do not have the in-house skills to become fully compliant

Many organisations’ inability to meet technical staffing needs around NIS2 compliance are further exemplified when considering that 54% expect to rely on a managed security services provider within the next two years for help.

“Despite the deadline for NIS2 compliance having passed, this Infobrief reveals a critical shortfall in many organisations' efforts to meet the standards,” Insight’s CISO and Security Technology Lead, Rob O’Connor, said. “The survey results highlight an alarming gap in prioritisation and awareness among C-suite executives regarding cybersecurity compliance, as perceived by IT management. Additionally, the findings underscore the lack of in-house expertise needed to achieve compliance, driving an increasing reliance on external support.”

O’Connor added: “As a leading Solutions Integrator, we are witnessing a surge in requests for cybersecurity guidance to handle the hefty demands of NIS2 compliance. Although the legislation may not yet be enshrined in law in all countries, these results should serve as a wake-up call, reminding organisations to set their own NIS2 compliance deadlines immediately.”

Whilst the NIS2 Directive came into force across Europe on October 17 as a common approach to security compliance across the European Union, to date only six*** EU countries have enshrined NIS2 into their legislation.

For more information on Insight, visit NIS2 | Insight UK. 

*Source: IDC InfoBrief, sponsored by Insight, NIS2: What Is Your Deadline?, doc #EUR252648424, October 2024

** excluding Germany

*** Belgium, Lithuania, Latvia, Croatia, Hungary, Italy