Zscaler is a Business Reporter client.
By 17th October approximately 160,000 organisations across 15 sectors will have to comply with the new NIS 2 directive in Europe as they fall into the extended organisational categories. Accompanying this updated EMEA regulation are stricter requirements for risk management and incident reporting, wider coverage of sectors, and more hard-hitting penalties for non-compliance.
To promote a more proactive approach towards cyber-security, regulations such as the updated Network and Information Security Directive, known as NIS 2, have been introduced to provide organisations with the essential security processes and frameworks necessary to enhance their cyber-hygiene. This regulatory initiative is a response to today’s unprecedented threat landscape, with advances in technologies such as AI emboldening malware actors to find and exploit security vulnerabilities faster than ever. Faced with this dangerous and rapidly evolving environment, more and more organisations are recognising the limitations of their current, reactive cyber-security approach.
The NIS 2 Directive comes into force in October 2024, mandating that management within organisations in specific categories implement cyber-security risk management measures. It is focused on critical physical and digital infrastructure within EU member states, but it also has a surprisingly wide reach. It applies not only to organisations within the EU, but also to any organisation worldwide that provides services to any of the protected sectors within the EU.
The company size of affected organisations varies by sector, but range from a minimum of 50 employees for important entities (IEs) and a minimum of 250 employees for essential entities (EEs). EU member states can impose administrative fines for instances of NIS non-compliance. For essential entities, EU member states can impose administrative fines of up €10 million or 2 per cent of total worldwide annual turnover in the preceding financial year for non-compliance. For important entities, fines can reach €7 million or 1.4 per cent of total worldwide annual turnover in the preceding financial year.
Are European entities ready for compliance?
In April 2024, Zscaler conducted a survey across six European markets, engaging over 875 IT leaders to assess the progress of organisations in meeting the NIS 2 compliance requirements ahead of the deadline. The findings reveal a troubling disconnect between the confidence levels of European companies and their comprehension of the NIS 2 compliance prerequisites, despite the directive’s significance. This gap raises alarms about the possibility of a last-minute rush to compliance, which could shift focus from other vital cyber-security concerns, thereby intensifying existing vulnerabilities.
IT leaders across the European region are confident their organisations will be able to reach NIS 2 compliance ahead of the October deadline, with 80 per cent of those surveyed believing this to be the case. Meanwhile, 14 per cent of surveyed decision makers claim to have already met the requirements months ahead of the deadline. In the UK the confidence level is slightly higher compared with neighbouring countries, with 82 per cent of UK IT leaders confident their organisations will meet NIS 2 compliance requirements by the deadline and 15 per cent claiming to have already met them.
The confidence level of reaching compliance in time is high and IT teams have the backing of leadership who recognise the importance of such regulations for cyber-security success. However, despite IT leaders’ strong belief that their organisations will reach compliance in time, the survey suggests that this confidence may be built on shaky foundations. Only half of the European respondents (53 per cent) believe their teams fully understood what the requirements for NIS 2 compliance are. This drops to 49 per cent when asked if they felt leadership fully understood the requirements. The UK seems to be ahead of the game, with 57 per cent of the opinion that teams understand the demand for compliance, and 56 per cent of leadership believing they fully understand the requirements.
This higher confidence level is not a surprise, as UK organisations generally seem to be slightly ahead of continental Europe in adoption of technology trends. There is an element of the British “keep calm and carry on” mentality, with many companies being more willing to accept these changes and roll with the punches. The business leaders are looking for practical and efficient ways to comply without having to strip everything back and start their security processes again.
There is also a greater appetite from UK organisations to capitalise on new technologies faster to support their ongoing security framework. Meanwhile, the rest of Europe seems to be worrying about achieving NIS 2 compliance due to an extensive level of planning actually preventing any forward progress at this stage. This continental approach may provide dividends in the long run, but can delay the process.
Confidence doesn’t correlate with understanding
The report also highlighted a disconnect between how the directive is being positioned and how IT leaders might view it. NIS 2 is being positioned as a directive to improve foundational security and as an extension of the existing NIS framework. However, nearly two-thirds (62 per cent) of those surveyed believe it represents a significant departure from their current strategy, and in the UK close to three quarters of respondents believe this to be the case (74 per cent). This suggests that many businesses have not been keeping up with evolving technology solutions and have been getting away with maintaining the bare minimum security requirements for as long as they could.
While this assumption is affirmed by the fact that only a third (32 per cent) of IT leaders in continental Europe rated their existing cyber-hygiene as excellent, 45 per cent of UK IT leaders would rate their cyber-hygiene already as excellent, once more reflecting a higher confidence level. A similar picture is painted when organisations were asked if they have already implemented a modern zero-trust based security architecture. Two-fifths of respondents across Europe said that their organisation has yet to implement a zero-trust architecture as part of its cyber-security approach, with the UK in line on this question with 39 per cent.
This leaves organisations with significant ground to make up in the remaining months before the directive is turned into local laws at country level across Europe. Particular areas IT leaders identified as needing major change to become compliant were updating their technology stack or cyber-security solutions and educating both employees and leadership. Respondents also noted three areas of the directive which are causing them the biggest challenge: Security in network and information systems (31 per cent), basic cyber-hygiene practices and training (30 per cent), and policies and procedures to the effectiveness of cyber security risk-management measures (29 per cent).
The road ahead to NIS 2 compliance
Traditionally, IT teams would implement new technology on top of their current stack and flip a switch to tick the compliance box. Today, that isn’t enough to protect a digital estate. Instead, IT teams should be aiming to remove and simplify their technology stack, enabling them to become more agile and capable of updating their organisational environment at a faster pace. However, that doesn’t mean that technology has a lesser role to play in compliance efforts. In fact, 44 per cent of IT leaders believe tools and services are critical to a successful NIS 2 implementation, increasing to 54 per cent in the UK.
Government directives such as NIS 2 force organisations to review their current security processes and, if necessary, reinforce them to what is now considered the current base layer of protection.
This will not necessarily lift the ceiling of security. While it is possible to be wholly NIS 2 compliant on paper, organisations that approach it with this end-goal alone might end up having a low level of operational security. The research shows that many IT leaders understand this and recognise that NIS 2 doesn’t go far enough. A significant majority (71 per cent) of IT leaders across Europe and 80 per cent in the UK say that keeping today’s organisations cyber-secure requires a mindset change that won’t be brought about by a compliance exercise. Furthermore, 53 per cent question the sufficiency of NIS 2 regulations considering the scale of the cyber-security challenge, underscoring the need for more robust measures.
A mindset change is required
A shift in attitude is required to raise the security posture of IT in the digital age and move organisations from mitigating threats in progress to building a holistic overview of their environment that enables them to identify areas of risk ahead of time. To do this, IT teams must connect their multiple technologies and tools into one solution platform, such as Zscaler’s Zero Trust Exchange. This will help organisations reduce technology complexity by controlling permissions and monitoring digital traffic through one source and identify and respond to threat actors, minimising potential damage and the impact of attacks.
Implementing a zero-trust architecture helps to reduce an organisation’s attack surface, prevents lateral movement and allows organisations to securely connect the right user to the right application without exposing their networks to the internet. This significantly mitigates the risk of attacks while helping organisations meet NIS2’s mandates for secure data handling, access controls and incident management.
Ultimately, addressing NIS 2 compliance demands more than just procedural tweaks; it calls for a foundational shift towards proactive risk management and cyber-security vigilance. It is only through the adoption of this proactive approach that organisations can effectively contend with the dynamic threat environment and ensure the protection of their digital infrastructure.
For more information, visit zscaler.com.