There is a gap between European businesses’ confidence in their ability to comply with the directive and their actual preparation. Companies seem confident about their capacity, hence the apathy of management who are not rushing to launch compliance projects.
When it comes to cybersecurity, the “next stop” for providers and businesses is compliance with the requirements of the new NIS2 regulations. This directive represents an important step towards better security of critical infrastructures in Europe. Although this imposes additional obligations and costs, businesses should prepare now to be ready before the deadline of October 18, 2024.
By then, all Member States of the European Union must have transposed the requirements of the NIS2 Directive into their national legislation. The entities concerned must have put in place the necessary measures to comply with the new standards.
Zscaler has just published a study on the preparation, or unpreparedness, of companies and their perception of where they stand in relation to the NIS 2 deadlines. This highlights the gap between the confidence of European companies to comply with the directive by the October 17 deadline and their ability to understand the required requirements. The study is based on feedback from more than 875 IT managers across six European markets.
CISOs must raise awareness among stakeholders
According to its findings, while a majority (80%) of respondents are confident their company will meet compliance requirements before the deadline, only 14% say they have already complied. Furthermore, just over half of IT managers (53%) believe that their teams fully understand the requirements, however slightly fewer (49%) think that management understands the full meaning.
A gap that highlights the need for awareness. CISOs must therefore take up their pilgrim’s staff to raise awareness among all relevant stakeholders, in order to guarantee understanding, and possibly ownership, before the fateful date. This goes from the board of directors to department heads and company employees.
The authors of the study, noting the gap between the confidence displayed and the “progress of work” in companies, rightly ask themselves the question of whether companies understand the implications of the directive . “There is a gap between the confidence displayed by those in charge regarding compliance with the directive on time and their real understanding of its content,” they say. This highlights the friction between their rhetoric on the NIS 2 directive and the real actions implemented to achieve it”. In short, this confidence is either part of the Coué method, or it is the result of ill-informed optimism.
IT does not receive the necessary support from management
By analyzing the figures, the discrepancy appears even more obvious. Respondents indicate that IT leaders recognize the growing importance of NIS 2 regulation. A third (32%) say it is a top priority for their leaders, and 52% say it is becoming increasingly important. ‘importance.
But this priority does not seem to translate into the proper support needed by IT teams, who carry the entire weight of compliance on their shoulders. As a result, most IT managers (56%) believe that their teams do not receive the necessary support from management to meet the compliance deadline.
This gap between the voluntarism of cyber managers and the inaction of their management can be explained by the previous experience of regulatory evolution, the GDPR. Business leaders are undoubtedly counting on the leniency of regulatory authorities, as was the case when the GDPR came into force.
They hope to benefit from a transition period. As a reminder, companies benefited from a two-year transition period to comply with the GDPR. It is quite possible that lawmakers will take a similar approach for NIS 2, but this is unconfirmed at this point.
Jump ahead to catch up
As Olivier Godin, SRVP Sales at Zscaler France explains, “While there is some confidence in the ability of businesses to become compliant with NIS 2 ahead of the fast-approaching deadline, our research shows that this confidence may rest on relatively shaky foundations. If not vigilant, many businesses could find themselves skipping ahead and neglecting other cybersecurity processes.”. This possibility is admitted by 60% of IT managers, according to the study.
Even though the NIS 2 directive is based on the NIS 1 framework, which is currently in force, 62% of respondents believe that it differs significantly. To comply with the directive, IT managers have a fairly precise idea of the projects that await them. They recognize that they need to make significant changes to their technology stack and cybersecurity solutions (34%), raising awareness among employees (20%) and managers (17%).
Among the parts of the directive most often cited as problematic, security in the acquisition, development and maintenance of networks and information systems (31%) is cited first. This is followed by basic cyber hygiene and cybersecurity awareness practices (30%), followed by policies and procedures for effective cyber risk management measures.
cybersecurity (29%).
Legacy Systems Can Cause Problems
In addition to the gap highlighted by the study, it points to another problem: legacy systems can pose problems due to their unpreparedness to take the next step. “Although the directive presents itself as a set of fundamental cybersecurity requirements, the study reveals that many European companies are not as advanced as they should be when it comes to cybersecurity standards”write the authors of the study.
Thus, less than a third (31%) of respondents consider their current level of cyber hygiene to be “excellent”. Among the least prepared sectors, the study notes that only 14% of IT managers in the transport world and 21% in the energy sector say they have achieved this level of excellence. Figures showing that too few companies in some critical infrastructure sectors have complied with security controls in recent years.
Compliance with NIS 2 may be too high a step for these companies. They could struggle to put in place technical, operational and organizational measures to manage the risks that threaten the security of networks and information systems.
