Just a third (34%) of impacted organizations in the UK, France and Germany are prepared for the EU’s updated Network and Information Security Directive (NIS2) one year before the legislation comes into force, according to a survey of 1500 IT decision makers by cybersecurity firm Sailpoint.
UK organizations, which must comply with the directive if they operate in the EU, are particularly unprepared, with three-quarters yet to fully address the five key requirements for compliance.
Broken down, Sailpoint found the following percentage of UK organizations surveyed still need to complete the five requirements:
- 80% still need to properly securing their supply chains
- 76% must assess the efficiency of existing cyber measures
- 74% need to add new risk management measures
- 76% need to implement HR security
- 72% still need to provide cybersecurity training to staff
Sailpoint warned against businesses being complacent about addressing these areas as each take five months on average to complete.
Failure to comply with the directive can lead to fines of up to €10m ($10.5m), or 2% of an organization’s global annual revenue.
What is NIS2?
NIS2 is an update to the EU’s original NIS directive that was passed in 2016 and became law in most member states in 2018. The new rules are designed to reflect greater reliance on digital systems and rising cyber-threats, and brings more industries and entities under its umbrella.
It encompasses ‘very critical sectors,’ such as energy, transport, banking and healthcare, and applies to organizations with more than 250 employees and an annual turnover of €10 million or more.
NIS2 was enacted in January 2023, and the deadline for the transposition of the provisions into the national law for member states is October 17, 2024.
Stephen Bradford, Senior Vice President EMEA at Sailpoint, urged organizations to use the next 12 months wisely, and not make the same mistakes that many made in not adequately preparing for the GDPR when that law came into force in 2018.
He noted: “With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation. The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher.
“Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses.”