oatawa - stock.adobe.com
EMEA businesses siphoning budgets to hit NIS2 goals
With NIS2 now in effect, European business leaders are having to divert budget from elsewhere to achieve compliance
With the European Union’s (EU) NIS2 regulations now in full effect, IT leaders across the region report that they are struggling to secure budget to support their compliance efforts, with 95% reporting they are being forced to dip into funds reserved for other things.
This is according to a Censuswide study of EMEA IT leaders commissioned by backup and security specialist Veeam Software, which found that while most are fairly confident about meeting their compliance goals, the NIS2 directive is amplifying other challenges.
The study found that while 68% of companies had received the necessary additional budget for NIS2 compliance, 34% had done so by siphoning cash from their risk management budgets, 30% from recruitment, 29% from crisis management, and 25% from emergency reserves.
“Securing adequate budget for cyber security is often a challenge for IT leaders, but the strict penalties and emphasis on corporate accountability from NIS2 may help ease that process,” said Veeam’s EMEA field CTO, Edwin Weijdema.
“However, as most IT budgets are either being cut or remaining stagnant – effectively shrinking due to rising business costs and inflation – NIS2 is pulling from an already limited pool. It’s particularly concerning to see funds being redirected from recruitment and emergency reserves. NIS2 shouldn’t be treated as a crisis, yet one in four businesses appear to view it that way.”
When coupled with overall reductions in IT budget – Veeam found that 40% of surveyed organisations had had to cut their IT budgets since Brussels secured political agreement on the directive in January 2023 – the reallocation underscores a sense of growing strain on financial resources that are already stretched very thin.
Indeed, said Veeam, with 80% of EMEA IT budgets now being allocated to cyber security and compliance in organisations in scope of the NIS2 regulations, there is little capacity to address more pressing challenges, such as recruiting to fill empty tech roles, and enabling wider digital transformation.
“Maintaining security and compliance is vital for any organisation, but the fact that it currently consumes most of the IT budget highlights how underprepared and under-resourced organisations are,” said Andre Troskie, EMEA field CISO at Veeam.
“IT leaders have limited budgets, yet still need to find the resources to meet NIS2 requirements quickly. Those who adopt a holistic approach to security and best practices before legislation mandates them will naturally face less pressure, allowing them to better address other key priorities and challenges.”
Brexit, what Brexit?
Despite not directly affecting UK companies day to day, the need to comply if one wishes to do any business with an entity in the EU has led to a situation in which it is British organisations that are best prepared for NIS2.
This situation has arisen in part because the UK was the only country in the survey data in which IT budgets had increased since January 2023, enabling IT leaders to invest with confidence in improving their security postures ahead of NIS2 coming into force.
A total of 38% of UK-based respondents to the Veeam study said they had already invested in reviewing their organisation’s cyber processes and best practices, and 34% had invested in new security technology – both significantly higher than their EU counterparts.
The Brits also said they planned to continue these investments in the coming months, with 30% planning further process reviews and 25% keen to keep spending on cyber tech, compared to 15% and 16% in the rest of Europe.
Veeam’s Dan Middleton, regional vice-president for the UK and Ireland, said that he was not surprised so many UK decision-makers felt confident in their ability to comply with NIS2, given their readiness to invest.
“This is good news ahead of the upcoming Cyber Security and Resilience Bill,” said Middleton. “While the details are yet to be released, any moves UK businesses make now to enhance their cyber and data resilience will benefit them when this regulation comes into force.
“This includes the planned investment by over one-third (36%) of UK respondents in upskilling existing employees, which will help tackle the growing skills gap, an issue putting a third (30%) of UK businesses under more pressure than any other common IT challenge.”
Read more about security laws and compliance
- UK Cyber Bill teases mandatory ransomware reporting: In the Cyber Security and Resilience Bill introduced in the King's Speech, the UK's new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
- US lawmakers seek to brand ransomware gangs as terrorists: Proposals from legislators in Washington DC could shake up the global ransomware ecosystem and give law enforcement sweeping new powers.
- Australia bolsters cyber defences with security bill: Legislation tackles IoT security and establishes a Cyber Incident Review Board to bolster Australia’s cyber resilience.
