Zscaler is a Business Reporter client.
Until October 17, approximately 160,000 organizations across 15 sectors will have to comply with the new NIS 2 directive in Europe, as they fall into the expanded organizational categories. This updated EMEA regulation is accompanied by stricter requirements for risk management and incident reporting, broader sector coverage and tougher penalties for non-compliance.
To promote a more proactive approach to cybersecurity, regulations such as the updated Network and Information Security Directive, known as NIS 2, have been introduced to provide organizations with the essential security processes and frameworks necessary to improve their cyber hygiene. This regulatory initiative is a response to today's unprecedented threat landscape, with advances in technologies such as AI encouraging malware actors to find and exploit security vulnerabilities faster than ever. Faced with this dangerous and rapidly evolving environment, more and more organizations are recognizing the limitations of their current reactive approach to cybersecurity.
The NIS 2 Directive will come into force in October 2024 and requires management within organizations in specific categories to implement cybersecurity risk management measures. It focuses on critical physical and digital infrastructure within EU member states, but is also surprisingly broad in scope. It applies not only to organizations within the EU, but also to any organization worldwide that provides services to any of the protected sectors within the EU.
The business size of affected organizations varies by sector, but ranges from a minimum of 50 employees for important entities (IE) to a minimum of 250 employees for essential entities (EE). EU member states can impose administrative fines in cases of non-compliance with the NIS. For essential entities, EU member states can impose administrative fines of up to €10 million or 2 percent of total global annual turnover in the preceding financial year for non-compliance. For large entities, fines can reach €7 million or 1.4 percent of total global annual turnover in the preceding financial year.
Are European entities prepared for compliance?
In April 2024, Zscaler conducted a survey in six European markets, engaging more than 875 IT leaders to assess organizations' progress in meeting NIS 2 compliance requirements by the deadline. The findings reveal a worrying disconnect between European companies' trust levels and their understanding of NIS 2 compliance prerequisites, despite the importance of the directive. This gap raises alarms about the possibility of a last-minute rush to compliance, which could divert attention from other vital cybersecurity concerns, thereby intensifying existing vulnerabilities.
IT leaders across the European region are confident that their organizations will be able to comply with NIS 2 by the October deadline, and 80 percent of respondents believe this is the case. Meanwhile, 14 percent of decision-makers surveyed say they met requirements months before the deadline. In the UK, the level of confidence is slightly higher compared to neighboring countries: 82 percent of UK IT leaders are confident that their organizations will meet NIS 2 compliance requirements by the deadline and 15 percent say they have already met them.
Confidence in achieving compliance on time is high, and IT teams are supported by leaders who recognize the importance of such regulations to cybersecurity success. However, despite IT leaders' firm belief that their organizations will achieve compliance on time, the survey suggests that this confidence may be based on shaky foundations. Only half of European respondents (53 percent) believe their teams fully understood what the requirements are for NIS 2 compliance. This figure drops to 49 percent when asked if they felt leadership fully understood the requirements. The United Kingdom appears to be leading, with 57 percent believing teams understand the compliance requirement and 56 percent of leaders believing they fully understand the requirements.
This higher level of trust is not a surprise, as UK organizations overall appear to be slightly ahead of continental Europe in adopting technology trends. There is an element of the British “keep calm and carry on” mentality, and many businesses are more willing to accept these changes and move on. Business leaders are looking for practical and efficient ways to become compliant without having to strip everything down and start their security processes over again.
There is also a greater appetite from UK organizations to more quickly capitalize on new technologies to support their current security framework. Meanwhile, the rest of Europe appears to be concerned about achieving NIS 2 compliance due to an extensive level of planning that actually prevents any progress at this stage. This continental approach can pay dividends in the long term, but it can delay the process.
Confidence does not correlate with understanding
The report also highlighted a disconnect between how management is positioning itself and how IT leaders might view it. NIS 2 is being positioned as a directive to improve fundamental security and as an extension of the existing NIS framework. However, almost two-thirds (62 percent) of respondents believe it represents a significant departure from their current strategy, and in the UK nearly three-quarters of respondents believe this is the case (74 percent). This suggests that many companies have not kept up with the evolution of technological solutions and have gotten away with maintaining minimum security requirements for as long as possible.
While this assumption is confirmed by the fact that only a third (32 percent) of IT leaders in continental Europe rated their existing cyber hygiene as excellent, 45 percent of UK IT leaders would rate their cyber hygiene as excellent, once again reflecting a higher level of confidence. A similar picture is painted when organizations are asked if they have already implemented a modern security architecture based on zero trust. Two-fifths of respondents across Europe said their organization has yet to implement a zero trust architecture as part of their cybersecurity approach; The United Kingdom agrees on this question with 39 percent.
This leaves organizations with a lot of ground to make up in the remaining months before the directive becomes local, national law across Europe. Particular areas that IT leaders identified as needing major changes to become compliant were updating their technology stack or cybersecurity solutions and educating both employees and leaders. Respondents also noted three areas of the policy that are causing them the greatest challenge: security in networks and information systems (31 percent), basic cyber hygiene practices and training (30 percent), and policies and procedures for effectiveness of cybernetics. security risk management measures (29 percent).
The path to NIS 2 compliance
Traditionally, IT teams would deploy new technology on top of their current stack and flip a switch to check the compliance box. Today, that is not enough to protect a digital heritage. Instead, IT teams should aim to eliminate and simplify their technology stack, allowing them to be more agile and able to update their organizational environment at a faster pace. However, that doesn't mean that technology has less of a role to play in compliance efforts. In fact, 44 percent of IT leaders believe tools and services are critical to a successful NIS 2 implementation, a figure that rises to 54 percent in the UK.
Government directives such as NIS 2 force organizations to review their current security processes and, if necessary, strengthen them to what is now considered the current base layer of protection.
This will not necessarily raise the safety ceiling. While it is possible to be fully compliant with NIS 2 on paper, organizations that approach it solely with this end goal may end up having a low level of operational security. Research shows that many IT leaders understand this and recognize that NIS 2 does not go far enough. A significant majority (71 percent) of IT leaders in Europe and 80 percent in the United Kingdom say that keeping today's organizations cyber-secure requires a change in mindset that will not be achieved through a compliance exercise. Additionally, 53 percent question the adequacy of NIS 2 regulations considering the scale of the cybersecurity challenge, underscoring the need for stronger measures.
A change of mentality is required
A shift in attitude is required to elevate IT security posture in the digital age and move organizations from mitigating ongoing threats to building a holistic overview of their environment that allows them to identify risk areas early. To do this, IT teams must connect their multiple technologies and tools into one solution platform, such as Zscaler Zero Trust Exchange. This will help organizations reduce technological complexity by controlling permissions and monitoring digital traffic across a source and identifying and responding to threat actors, minimizing the potential damage and impact of attacks.
Implementing a zero trust architecture helps reduce an organization's attack surface, prevents lateral movement, and allows organizations to securely connect the right user to the right application without exposing their networks to the Internet. This significantly mitigates the risk of attacks while helping organizations meet NIS2 mandates for secure data handling, access controls and incident management.
Ultimately, addressing NIS 2 compliance requires more than just procedural adjustments; requires a fundamental shift towards proactive risk management and cybersecurity oversight. Only by adopting this proactive approach can organizations effectively address the dynamic threat environment and ensure the protection of their digital infrastructure.
For more information visit zscaler.com.
