Introduction
The implementation of the EU’s Network and Information Security (NIS)2 Directive has necessitated significant financial adjustments for organizations, particularly in the EMEA region. This directive has prompted a reallocation of budgets from various business areas to meet compliance requirements, highlighting the financial strain and challenges faced by IT leaders in securing adequate resources for cybersecurity.
Description
Meeting compliance requirements with the EU’s Network and Information Security (NIS)2 Directive has led many organizations to reallocate funds from various business areas [5]. A recent survey indicates that 95% of applicable firms in the EMEA region are diverting budgets to meet these new requirements, with specific reallocations including 34% from risk management, 30% from recruitment, 29% from crisis management [3] [6], and 25% from emergency reserves [1] [3] [4] [5] [6] [7]. This redirection of funds highlights the strain on financial resources, as 20% of IT leaders identify budget constraints as a significant barrier to achieving compliance. Since the political agreement for NIS2 in January 2023, 40% of organizations have experienced decreased IT budgets [1] [4] [5] [6] [7], while 20% have seen no change [5] [7]. The financial strain is further exacerbated by rising costs and inflation, making it challenging for IT leaders to secure adequate cybersecurity budgets.
In the EMEA region [4], a substantial portion of IT budgets—80%—is now dedicated to cybersecurity and compliance [4] [6], limiting resources for other critical challenges such as filling technology roles and enabling digital transformation [8]. Notably, the UK [3] [4] [5] [6], which must comply with NIS2 for business with EU entities, has reported an increase in IT budgets [3] [4], with 62% of IT decision-makers indicating a rise since January 2023. This increase allows for greater investment in security improvements [4], and UK IT leaders exhibit high confidence in their ability to meet regulatory requirements [4], with many planning further investments in cybersecurity processes and employee upskilling to address the skills gap [4].
Concerns arise as funds are redirected from recruitment and emergency reserves [5], with one in four businesses treating NIS2 compliance as a crisis [5]. The NIS2 Directive [1] [5], effective from October 17, 2024 [5], impacts around 150,000 large and medium companies in the EU designated as ‘essential’ or ‘important,’ as well as organizations in their supply chains [5], including those outside the EU [5]. Companies are taking proactive steps to comply, such as conducting IT audits, reviewing cybersecurity processes [4], and investing in new technology [4], all of which require significant budget allocation [4]. Despite the pressing need for compliance, NIS2 ranks low on the priority list compared to other challenges such as profitability and digital transformation [4]. The greatest concerns for IT leaders include a shortage of IT skills (24%), digital transformation (23%) [2] [4] [6] [8], and rising costs (20%). IT leaders must find resources to meet NIS2 requirements swiftly [6], and those who adopt a holistic approach to security and proactive measures will face less pressure in managing other priorities.
Conclusion
The financial and operational impacts of the NIS2 Directive are significant, necessitating strategic reallocations and investments in cybersecurity. Organizations must balance these demands with other priorities, such as digital transformation and addressing skill shortages. Proactive measures, such as upskilling employees and investing in new technologies, are essential for mitigating the challenges posed by compliance requirements. As the directive’s effective date approaches, companies that adopt a comprehensive approach to security will be better positioned to manage these competing demands and ensure long-term resilience.
References
[1] https://betanews.com/2024/10/29/compliance-with-nis2-comes-at-a-cost/
[2] https://www.channelconnect.nl/mkb-it-expert-panel/nis2-compliance-drukt-zwaar-op-it-budget-en-bedrijfsreserves/
[3] https://insight.scmagazineuk.com/businesses-diverted-budget-to-afford-nis2-compliance
[4] https://www.veeam.com/company/press-release/nis2-robs-organizations-resources-95-of-emea-businesses-siphon-other-budgets-to-try-and-meet-compliance-deadline.html
[5] https://www.infosecurity-magazine.com/news/nis2-compliance-strain-budgets/
[6] https://enterpriseitworldmea.com/nis2-robs-organizations-resources-95-of-emea-businesses-siphon-other-budgets-to-try-and-meet-compliance-deadline/
[7] https://professionalsecurity.co.uk/products/cyber/nis2-directive-impact/
[8] https://www.computerweekly.com/news/366614699/EMEA-businesses-siphoning-budgets-to-hit-NIS2-goals
