The implementation of the NIS2 directive in the European Union has put pressure on companies in the EMEA region (Europe, the Middle East, and Africa), which are facing significant pressure to comply with the stringent cybersecurity standards set forth. A recent study commissioned by Veeam® Software, a global leader in data resilience, reveals that most companies have had to divert funds from other budgets to cover the costs associated with the regulation, increasing the burden on already resource- and skill-constrained IT departments.
Skills and Resource Shortage: The Main Challenge
The NIS2 directive, approved in January 2023, establishes new and strict cybersecurity requirements for companies in critical sectors. While 95% of surveyed companies have managed to secure the necessary budget to comply with the regulation, 30% have had to tap into funds intended for hiring personnel to cover the shortfall. The lack of IT skills, identified as the main challenge for 24% of organizations, has generated fierce competition in the labor market as companies seek experts capable of implementing the new cybersecurity regulations.
A Costly Adaptation Effort
According to the Veeam study, 68% of companies have received additional funding to comply with NIS2, although 20% still view the budget as a significant barrier. The need to comply with the regulation has led organizations to draw from other budgets: 34% have taken funds from risk management, 29% from crisis management, and 25% from emergency reserves. Edwin Weijdema, Veeam’s Field CTO for EMEA, warned about the concerning trend of treating the NIS2 directive as a crisis: “NIS2 should not be treated as an emergency; however, one in four businesses seems to view it that way.”
The Impact of NIS2 on IT Budgets
The cybersecurity demands of NIS2 have led to 80% of the IT budget in EMEA being allocated to security and compliance, leaving little room to tackle other key challenges, such as digital transformation or profitability. Companies have had to implement a variety of measures to comply with NIS2, which include IT audits (29%), cybersecurity process reviews (29%), development of new policies and procedures (28%), and investment in technology (28%).
Andre Troskie, Field CISO of Veeam in EMEA, noted that dedicating most of the budget to cybersecurity is a symptom of organizations’ lack of preparedness: “IT leaders have limited budgets but need to comply with NIS2 quickly. Those who adopted a holistic approach to security before the law required it are now facing less pressure.”
United Kingdom: A Proactive Response and More Resources for NIS2
Although the United Kingdom is not directly affected by NIS2, British companies operating in the EU must comply with the regulation. Surprisingly, the UK has been the only surveyed country that has increased its IT budget since January 2023. With 62% of British IT leaders reporting an increase in their budget, companies in the country are better positioned to strengthen their security posture in light of the directive.
Dan Middleton, Regional Vice President of Veeam for the UK and Ireland, highlighted the UK’s advantage in terms of investment and preparation: “90% of British IT leaders feel confident in their ability to meet regulatory requirements, the highest level of confidence in EMEA. This proactive approach will benefit British companies when the upcoming Cyber Security and Resilience Bill comes into effect.”
What is NIS2 and Why is it Changing the Cybersecurity Landscape?
The NIS2 directive was designed to improve cybersecurity in critical sectors within the EU, increasing corporate accountability and resilience against cyberattacks. Since its approval, companies have had to double down on efforts to adapt to its requirements, facing strict penalties for non-compliance. Organizations that invest in advanced technology and bolster their cybersecurity teams are better prepared to tackle the complexity posed by this regulation.
The Challenge for the Future of Cybersecurity in the EMEA Region
The entry into force of NIS2 underscores the growing priority of cybersecurity in today’s digital environment. Although the initial cost is significant, the long-term benefits of enhanced resilience and effective compliance with the regulation are undeniable. Veeam concludes that companies adopting a comprehensive security approach will be better positioned not only to comply with NIS2 but also to address the challenges of an ever-evolving digital economy.