A Fifth of UK Enterprises “Not Sure” If NIS2 Applies

Written by

A large number of UK enterprises could face major regulatory penalties after admitting they are “not sure” if the new EU NIS2 Directive applies to their business, a new study has revealed.

Cybersecurity consultancy Green Raven polled 200 cybersecurity leaders in UK organizations with over 1000 employees.

Although more than two-thirds (68%) were clear that the new rules did apply to their business, a substantial 22% claimed not to know. While Britain has left the EU, any organization doing business in the bloc – including importers/exporters and those with subsidiaries on the continent – must still comply with EU law.

Additionally, some 10% of respondents who confirmed that NIS2 applies to their organization admitted that they weren’t compliant as of October 17. That was the deadline for member states to implement the directive into national law.

Read more on NIS2: NIS2 Compliance Puts Strain on Business Budgets

NIS2 is the European Commission’s attempt to improve baseline security posture across the bloc, by mandating a minimum set of security controls, a greater focus on incident and supply chain risk management, and making senior management liable for serious non-compliance. It also brings a large number of additional “essential” and “important” entities into scope.

Depending on the country, NIS2 fines could reach €10m or 2% of global annual revenue for essential entities.

“Not Sure” is Not Good Enough

Morten Mjels, CEO of Green Raven, expressed surprise that so many senior UK cybersecurity leaders aren’t aware of their NIS2 compliance obligations.

“Saying ‘yes, we’re compliant’ may be acceptable; admitting that ‘no, we’re not compliant but we’re working on it’ may also be acceptable – assuming there may be a grace period when new regulations come into force,” he argued.

“However, eventually, failure to be compliant is going to significantly impact the ability of these organizations to do business in Europe or is going to attract a significant fine. Saying ‘we weren’t sure’ is unlikely to be much of a defense.”

The Green Raven study chimes with the findings of an Infosecurity Magazine webinar hosted just a week before the NIS2 deadline, in which participants expressed confusion as to whether the directive applies to their organization.

The UK is updating its own NIS Regulations next year with the Cyber Security and Resilience Bill. Although it’s shaping up to be a far less ambitious piece of legislation than NIS2, 46% of CISOs Green Raven spoke to said they expect the bill to make unwanted demands of UK businesses.

What’s hot on Infosecurity Magazine?