The Network and Information Security Directive 2 (NIS2), which came into force in January 2023, marks a significant shift in the European Union's approach to cybersecurity. Building on the original NIS Directive, NIS2 introduced stricter security measures, tighter timelines for incident reporting, and a greater emphasis on supply chain security. Organizations that fail to comply could now face fines of up to €10 million or 2% of their global revenue, whichever is greater.
A recent survey conducted by SANS provides valuable insights into how organizations are preparing for NIS2 and the challenges they face. The survey gathered responses from approximately 500 professionals, ranging from security administrators and analysts to CSOs and CTOs. It captures a wide range of perspectives from across Europe and with additional input from North America and Asia, reflecting the global relevance of NIS2 for organizations operating in or providing services to the EU.
Understanding the threat landscape:
The survey reveals that nearly half of respondents (47%) consider the current cyber threat level to be "high", while 37% rate it as "severe or critical". This underscores the growing concern among organizations about the evolving nature of cyber threats. But despite these challenges, there is also optimism about the role of NIS2 in improving cybersecurity. A significant 60% of respondents view the directive as a positive and necessary development for improving the security of critical infrastructure and digital services.
Implementation progress and challenges:
Implementing the requirements of NIS2 is no small feat though. According to the survey, 35% of organizations have already begun the process, while another 50% are actively working toward compliance. However, the journey is not without obstacles. Nearly half of the organizations cite a lack of resources as a major challenge, with 37% struggling with inadequate budgets to support the necessary security measures. In addition, 32% report difficulties due to a lack of in-house knowledge, again highlighting a clear need for specialized training and expertise.
Industry-specific focus:
Certain sectors are perceived as particularly vulnerable to cyber threats under the new Directive. The survey identified energy, healthcare and public administration as the top three sectors most likely to face significant cybersecurity incidents, with energy leading the way at 52%. This insight reflects the critical importance of protecting essential services that, if disrupted, could have widespread societal and economic impacts.
Incident Response and Reporting:
A core component of the NIS2 Directive is its emphasis on rapid and effective incident response. The survey shows that 70% of organizations have formal incident response plans in place, which is critical for timely detection and recovery from cyber incidents. Yet around 30% of organizations still lack structured reporting mechanisms, a gap that could hinder compliance with NIS2's strict 24-hour incident reporting requirement. Fortunately, 26% of known incidents are contained within 6-24 hours of detection, although full remediation often takes 2-7 days. This suggests that while initial responses are fast, there is still room for improvement in the overall incident resolution process.
Readiness gaps between IT and ICS/OT:
The survey highlights a notable disparity in readiness between IT systems and industrial control systems (ICS) or operational technology (OT) environments. While 75% of organizations conduct annual security assessments for their IT systems, only 38% do the same for their ICS/OT environments. This gap is particularly concerning for critical infrastructure providers, as it indicates the need for more frequent and tailored assessments to protect industrial operations.
The role of training and awareness:
One of the most practical steps towards NIS2 compliance, identified by 26% of the sample, is to improve basic cyber awareness and employee training. Regular training programs can significantly reduce the risk of social engineering attacks such as phishing, which continues to be a popular threat vector. Investing in comprehensive security awareness initiatives is essential to building a more resilient organizational culture.
Key recommendations for achieving compliance:
To navigate the complexities of NIS2, organizations should prioritize several key actions. Strengthening supply chain security is critical, as this remains the top area of concern, with 25% of those surveyed citing it as the most challenging aspect of the directive. This includes implementing more intensive supplier screening processes, conducting regular audits and ensuring that cybersecurity requirements are built into supplier contracts.
Organizations are also encouraged to form dedicated incident response teams to improve their ability to effectively manage security events. This can be particularly valuable in reducing response times and minimizing the impact of incidents on both IT and ICS/OT environments. Furthermore, allocating adequate resources and increasing cybersecurity budgets can support the adoption of advanced tools such as security information and event management (SIEM) systems and extended detection and response (XDR) solutions.
Looking ahead - Turning awareness into action:
As the initial NIS2 compliance deadline has passed on October 18 2024 and country-specific legislation is expected to be adopted in the immediate future, it is imperative for organizations to ensure that they are compliant with the directive's requirements. This includes aligning leadership with the directive's goals, securing the necessary resources, and ensuring that all stakeholders understand the consequences of non-compliance. By doing so, organizations will not only meet their regulatory obligations, but also strengthen their overall cybersecurity posture and become more resilient to modern threats.
Full report: NIS2 Directive Readiness: Compliance, Challenges, and Recommendations