Meeting compliance requirements with the EU’s Network and Information Security (NIS)2 Directive has forced many organizations to divert funds from other areas of the business, according to research from Veeam.
The cybersecurity firm found that 95% of applicable firms had done so to meet the new requirements.
Over a third (34%) of these EMEA-based businesses have dipped into their risk management budgets, 30% from wider recruitment, 29% from crisis management and 25% from emergency reserves.
The Veeam report found that 20% of IT leaders identified budget as a significant barrier to achieving compliance.
However, 68% of firms reported receiving the necessary additional budget for NIS2 compliance.
The survey also found that since political agreement for NIS2 was reached in January 2023, 40% of businesses have faced decreased IT budgets and 20% have unchanged financials.
Read now: NIS2 Confusion: Concerns Over Readiness as Deadline Reached
Edwin Weijdema, Field CTO EMEA at Veeam, said the strict penalties that NIS2 applies for non-compliance, including the potential for individual corporate liability, may ensure additional funds are allocated for compliance, but potentially at the detriment of other parts of the business.
“As most IT budgets are either being cut or remaining stagnant – effectively shrinking due to rising business costs and inflation – NIS2 is pulling from an already limited pool. It's particularly concerning to see funds being redirected from recruitment and emergency reserves. NIS2 shouldn’t be treated as a crisis, yet one in four businesses appears to view it that way,” commented Weijdema.
The EU’s NIS2 Directive came into force on October 17, 2024, the deadline for the legislation to be incorporated into member state national laws.
NIS2 covers a range of areas, including incident response and reporting, supply chain security, data security and training. The directive is expected to impact about 150,000 large and medium companies within EU that are designated as ‘essential’ or ‘important.’
In addition, the provisions apply to organizations that are part of the supply chain for these sectors, including those based outside the EU, such as the UK.
The Veeam survey included 500+ IT decision-makers from Belgium, France, Germany, the Netherlands, and the UK.
Organizations Taking Compliance Action
Applicable businesses are taking a range of steps to ensure compliance with NIS2. These include:
- Conducting IT audits (29%)
- Reviewing cybersecurity processes and best practices (29%)
- Developing new policies and procedures (28%)
- Investing in new technology (28%)
- Increasing budget allocation for cybersecurity (28%)
Overall, 80% of EMEA IT budgets are now allocated to cybersecurity and compliance by companies required to comply with NIS2.
This is despite NIS2 ranking relatively low on the priority list for IT leaders, in 10th place. The top five priorities identified by IT leaders were the skills gap (24%), profitability concerns (23%), digital transformation (23%), the rising cost of doing business (20%) and a lack of resources (20%).