NIS2 compliance eats up IT budgets despite doubts

The EU’s NIS2 Directive for cybersecurity resilience entered full enforcement this month, and compliance with its requirements presents major challenges for many companies.

A survey conducted by Veeam at the end of August found that while most IT leaders are confident of achieving NIS2 compliance, they also acknowledged that the cybersecurity directive has exacerbated existing challenges such as resource constraints and skills gaps.

For example, 95% of companies affected by NIS2 had to divert funds from other business areas to cover the costs of NIS2 compliance, including taking away budget from:

• Risk management (34%)
• Recruitment (30%)
• Crisis management (29%)
• Emergency reserves (25%)

And although companies have already cut their IT budgets over the past two years, additional funds have been allocated to comply with NIS2, according to 68% of those surveyed. This limitation may also explain why 80% of IT budgets are now allotted to cybersecurity and compliance, according to Veeam.

“Maintaining security and compliance is vital for any organization, but the fact that it currently consumes most of the IT budget highlights how underprepared and under-resourced organizations are,” commented Andre Troskie, Field CISO EMEA at Veeam, in a release.

“NIS2 shouldn’t be treated as a crisis, yet one in four businesses appears to view it that way,” added his colleague Edwin Weijdema, Field CTO EMEA at Veeam, in the release.

While 90% of respondents reported having at least one security incident that NIS2 adherence could have prevented in the past 12 months, only 43% believe NIS2 will improve EU cybersecurity substantially.

The NIS2 Confidence Survey, conducted by Censuswide on behalf of Veeam, involved over 500 IT decision-makers from Germany, Belgium, France, the Netherlands, and the UK. Participants were selected from industries that are essentially subject to the NIS2 Directive.