New Veeam Software Survey Reveals Compliance Challenges Ahead of NIS2 Deadline

As the European Union (EU) prepares to implement the Network and Information Security Directive 2022/2555 (NIS2) on October 18, a recent survey conducted by Censuswide and commissioned by Veeam Software has unveiled a concerning landscape for businesses across the EMEA region. While approximately 80% of organizations express confidence in their ability to adhere to the new cybersecurity regulations, a staggering 66% anticipate missing the compliance deadline. This paradox highlights a significant gap between perceived readiness and actual preparedness.

Understanding NIS2 and Its Implications

NIS2 is designed to bolster cybersecurity across the EU, establishing a framework that mandates essential security measures for businesses, particularly those deemed essential and important entities. The directive aims to mitigate the rising tide of cyber threats that have plagued organizations in recent years. Non-compliance can lead to severe penalties, including administrative fines of up to EUR 10 million or 2% of total annual worldwide turnover, making adherence not just a regulatory obligation but a critical business imperative.

Survey Insights: Confidence vs. Reality

The survey, which included responses from over 500 IT decision-makers in Belgium, France, Germany, the Netherlands, and the UK, revealed a striking dichotomy. While nearly 80% of respondents are confident in their eventual compliance with NIS2, the looming deadline has left many organizations feeling unprepared. Alarmingly, 90% of EMEA businesses reported experiencing cybersecurity incidents in the past year that NIS2 could have potentially prevented. Among these, 44% faced more than three incidents, with 65% of those categorized as “highly critical.”

Anand Eswaran, CEO of Veeam, emphasized the importance of a coordinated approach to tackle the increasing complexity of cyber threats. He stated, “NIS2 will set the new standard baseline of compliance for all enterprises around the world as we continue to battle this era of continuous cyber threats with data resilience.”

Barriers to Compliance

Achieving compliance with NIS2 is no small feat. Organizations must implement a range of measures, including defining incident response plans, securing supply chains, assessing vulnerabilities, and evaluating overall security levels. However, the survey identified several barriers that hinder compliance efforts:

1. Technical Debt (24%): Many organizations struggle with outdated systems and technologies that complicate compliance.

2. Lack of Leadership Understanding (23%): A disconnect between IT teams and executive leadership can lead to insufficient prioritization of cybersecurity initiatives.

3. Insufficient Budget/Investments (21%): Despite the urgency of compliance, 40% of respondents reported decreased IT budgets since the announcement of NIS2 in January 2023.

4. Perceived Lack of Consequences (42%): Many respondents believe that the penalties for non-compliance are not severe enough to warrant immediate action, leading to widespread apathy towards the directive.

Competitive Pressures and Prioritization

The slow pace of NIS2 adoption can also be attributed to competing business priorities. Respondents ranked NIS2 lower in urgency compared to other pressing issues, such as addressing the skills gap, profitability, and digital transformation. This misalignment of priorities poses a significant risk, as organizations may overlook the importance of compliance until it is too late.

Despite the skepticism surrounding NIS2, 74% of respondents view the directive as beneficial. However, 57% doubt its potential to significantly enhance the overall cybersecurity posture of the EU. Concerns about the directive’s comprehensiveness and its overlap with existing regulations further contribute to the hesitance among businesses.

The Path Forward

As the October 18 deadline approaches, organizations must act swiftly to bridge the gaps in their compliance strategies. Leaders need to prioritize cybersecurity not just as a regulatory obligation but as a fundamental aspect of organizational resilience. By investing in the necessary resources and fostering a culture of cybersecurity awareness, businesses can better prepare themselves for the challenges posed by NIS2 and the evolving threat landscape.

In conclusion, while confidence in compliance is high among EMEA businesses, the reality of the situation reveals a pressing need for action. With the potential for hefty fines and service suspensions looming, organizations must prioritize their cybersecurity strategies to ensure they meet the NIS2 requirements and safeguard their critical data.

For more information on Veeam and its commitment to data resilience, visit Veeam’s website.