Three-quarters of UK organizations have yet to complete preparations for the EU’s Network and Information Security Directive (NIS2), according to a new study.
With just one year to go until the deadline for implementation, a majority of UK organizations are yet to fully address and compensate for the five key compliance requirements outlined in the new regulations, SailPoint found.
The new rules are an updated version of previous NIS regulations, introduced by the EU in 2018.
NIS2 essentially aims to build on the previous regulations and implement more robust cyber security and resilience standards among EU organizations, as well as more stringent reporting measures in the event of a security incident.
Under the updated regulations, all public and private entities operating in the EU will be required to adhere to new standards. The regulations specifically target organizations working in critical infrastructure sectors, such as energy, finance, and healthcare.
SailPoint’s study, based on a survey of 1,500 IT decision makers across the UK, France, and Germany, found that many UK firms have yet to even begin preparations for the new rules.
Four in five (80%) revealed they still need to properly secure supply chains while three-quarters (76%) said they have yet to assess the efficiency of existing cyber security measures.
Three-quarters of organizations also need to add new risk management measures (74%), implement HR security (76%), or provide cyber security training to staff (72%).
SailPoint warned that those who fail to comply with the new obligations could face harsh penalties. Organizations can face fines of up to €10 million for non-compliance, or the equivalent of 2% of their annual turnover.
“With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation,” said Stephen Bradford, senior vice president for EMEA at SailPoint.
“The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses."
Bradford said the current lax approach among some UK organizations bears similarities to the months preceding the implementation of the EU’s General Data Protection Regulation (GDPR).
RELATED RESOURCE
Comply with multiple regulations and industry standards
DOWNLOAD NOW
He urged that businesses “must learn from GDPR” and use the next 12 months to ensure cyber resilience “is at the core of the business models” to avoid falling foul of the regulations.
This is particularly important given certain aspects of the regulations pertaining to personal liability.
Under the new rules, senior management could be held liable for cyber security failings and regulatory infringements if their organization does not comply with its obligations.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunityNews Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
-
The EU just shelved its AI liability directiveNews The European Commission has scrapped plans to introduce the AI Liability Directive aimed at protecting consumers from harmful AI systems.
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to know
News The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
-
EU agrees amendments to Cyber Solidarity Act in bid to create ‘cyber shield’ for member statesNews The EU’s Cyber Solidarity Act will provide new mechanisms for authorities to bolster union-wide security practices
-
The EU's 'long-arm' regulatory approach could create frosty US environment for European tech firmsAnalysis US tech firms are throwing their toys out of the pram over the EU’s Digital Markets Act, but will this come back to bite European companies?
-
EU AI Act risks collapse if consensus not reached, experts warn
Analysis Industry stakeholders have warned the EU AI Act could stifle innovation ahead of a crunch decision
-
US-UK data bridge: Everything you need to knowNews The US-UK data bridge will ease the complexity of transatlantic data transfers
-
EU-US Data Transfer Framework will be overturned within five years, says expertNews Gartner VP analyst dubs the adequacy ruling “Déjà EU”, citing lack of transparency over remediation
