With the NIS2 directive coming into force across the European Union, a recent survey conducted by Censuswide for Veeam Software has revealed the considerable impact it is having on businesses as they adapt to new cybersecurity regulations. Veeam has found that while most IT decision makers are confident they can comply with NIS2, they are also facing increased challenges such as a lack of resources and a shortage of qualified personnel.

The survey highlights that this “skills gap” is the main obstacle for organizations in the EMEA region, with 30% of companies using their recruitment budgets to support NIS2 compliance.

Budget for NIS2: A costly achievement

Although IT leaders have managed to obtain the budget necessary to comply with NIS2, this has had a significant impact in other areas. 68% of companies have received additional funding for compliance, but 20% still see budget as a major barrier. Since the political agreement for NIS2 in January 2023, 40% of companies have seen their IT budgets reduced, while 20% have seen no change. Additionally, 95% of organizations have diverted funds from other areas to cover compliance costs, affecting budgets for risk management, contracting, crisis management and emergency reserves.

Edwin Weijdema, Field CTO EMEA at Veeam, comments that ensuring an adequate budget for cybersecurity is a constant challenge for IT leaders. NIS2’s strict penalties and emphasis on corporate responsibility may make this process easier, but with IT budgets reduced or stagnant due to business costs and inflation, NIS2 is putting pressure on already limited funds. It is worrying that funds are being diverted from procurement and emergency reserves as NIS2 should not be treated as a crisis, although one in four companies appear to see it that way.

NIS2 and the challenges for IT managers

The survey also reveals the main pressures felt by IT managers. NIS2 is 10th on their priority list, reflecting the variety of challenges they face. The top five challenges are: lack of qualifications (24%), concern about profitability (23%), digital transformation (23%), increasing business costs (20%) and lack of resources (20%). %). These results show that human and financial resources are the main constraints for IT leaders, although NIS2 requires both.

To comply with regulations, companies are taking several measures, such as conducting computer audits (29%), reviewing cybersecurity processes and best practices (29%), developing new policies and procedures (28%), investing in new technologies ( 28%) and increase the budget for cybersecurity (28%). The main enablers of NIS2 compliance are new technological solutions (27%), IT audits (25%) and internal organizational competencies (25%), which require specific budget and knowledge.

EMEA IT Budget: Security and Compliance

Despite overall reductions in IT budgets over the past two years, additional funds have been allocated for NIS2 compliance, whether from the IT budget or other areas of the business. This explains why 80% of IT budgets in EMEA are now allocated to cybersecurity and compliance. This leaves little room to address other important challenges such as skills gaps, profitability and digital transformation.

“Maintaining security and compliance is vital for any organization, but the fact that it currently represents the majority of the IT budget shows how underprepared and under-resourced organizations are. IT managers have limited budgets, but still need to find resources to quickly comply with NIS2. “Those who take a holistic approach to security and best practices before legislation mandates it will face less pressure and be better able to address other key priorities and challenges,” adds Andre Troskie, Field CISO EMEA at Veeam.

United Kingdom: Leader in investment and trust in NIS2

Although NIS2 does not directly affect British companies, those operating with EU entities must comply, and their responses show a different picture. The UK is the only country surveyed to have reported an increase in IT budgets since January 2023, with 62% of IT managers in the UK reporting a budget increase and only 14% experiencing a decrease. This has allowed British companies to invest more in improving their security before the directive comes into force.

38% of UK respondents have already made investments to review cybersecurity processes and best practices, and 34% have invested in new technologies, higher than their EU counterparts. UK IT leaders also plan to continue investing significantly in the future, with 30% planning to review cybersecurity processes and best practices, and 25% planning new investments in technology, compared to an average of 15% and the 16% in other countries surveyed.