The NIS2 cybersecurity directive places a number of new obligations on companies operating within the European Union. The national law of each member of the community must be adjusted by 17 October 2024, but companies covered by the NIS2 regulations should begin planning reserves in their budgets now. The European Commission estimates that companies’ expenditures on digital security will have to increase by up to 25% over the next 3-4 years due to the new requirements.
According to the plans for NIS2, which is the new version of the cybersecurity directive, companies from certain sectors will soon have to demonstrate that their procedures comply with the new digital security requirements. There aren’t any exact national guidelines yet, but the key assumptions are known – more obligations and an expansion of the list of sectors covered by the new law, among them transportation, finance, public administration, and digital service providers.
Increased Responsibility and Costs
Organizations that have not yet analyzed risks and developed appropriate procedures to ensure business continuity from an IT perspective find themselves in a particularly difficult situation. The experts working on NIS2 have estimated, based on data from companies adjusting to the first version of the directive from 2016, that organizations will have to increase their expenditures on network and digital information security by about 22% over the next 3-4 years. Medium-sized enterprises should prepare for an increase of about 25%. These projections concern organizations that will need to build IT security from the ground up. For those sectors already covered by NIS and having a certain level of security, an expenditure increase of about 12% is predicted. Medium-sized companies see the cost increase by about 15%. These data come from a European Commission document on the potential effects of NIS2 implementation, including the costs associated with building new teams, purchasing hardware, software, services, administrative costs, and expenditures on internal development work.
In the face of such significant changes, many organizations may be interested in outsourcing tasks and processes to meet the new obligations. “There’s not much time left to prepare for the new regulations, but the good news is that we’re able to take advantage of external services instead of building internal competencies from scratch. If organizations lack procedures and manpower, they can get support from IT service providers who specialize in consulting and other services related to maintaining business continuity – monitoring systems and IT services, security actions, backup and disaster recovery solutions, and maintaining their IT infrastructure in professional, purpose-built centers,” explains Wojciech Darłowski, a board member at Beyond.pl, a supplier of data center, cloud, and managed services.
According to the European Commission, the costs of complying with NIS2 regulations can only benefit enterprises in the medium and long-term. These benefits include a reduction in the number of security breach incidents and losses related to cybercrime, a reduction in the costs of service unavailability and liabilities for breaches, and in effect, an increase in customer trust, improving the company’s reputation, and protection against unfair competition associated with industrial espionage.
Changes in Procedures and More
NIS2 introduces the responsibility of management boards, including personal responsibility, for ensuring the organization has an adequate level of security. New penalties for violations are also introduced, amounting to even 10 million euros or a certain percentage of turnover. Organizations that fall within the sectors covered by the new rules will have to not only meet detailed requirements but also prove that their procedures comply with them.
“Current situation audits will be required to check which requirements the organization is already compliant with and which areas need strengthening. Key areas requiring verification are incident reporting and strengthening IT security procedures. Next, a review of risk management and IT infrastructure monitoring processes is needed. These could be significant changes requiring additional budgets, especially for middle-sized companies who have not paid enough attention to these areas,” says Wojciech Darłowski from Beyond.pl.
Despite the high costs to businesses, these changes are necessary. According to a report by the European Union Agency for Cybersecurity, or ENISA, the costs of major cyber incidents in 2022 increased by a quarter compared to 2021. However, this did not lead to an increase in financial resources allocated for corporate IT security. Organization budgets for cybersecurity-related expenditures have only grown by 0.4% year on year. The conclusion? Budgets and organizational engagement are growing much slower than the challenges. The biggest data leak in Poland from May 2023, when 6 million logins and passwords were stolen, clearly indicates that the increased IT security mandated by NIS2 is a necessity.
