Three quarters of UK firms unprepared for NIS2 regulations, study finds
Senior management can be held personally liable for non-compliance under NIS2 rules
Three-quarters of UK organizations have yet to complete preparations for the EU’s Network and Information Security Directive (NIS2), according to a new study.
With just one year to go until the deadline for implementation, a majority of UK organizations are yet to fully address and compensate for the five key compliance requirements outlined in the new regulations, SailPoint found.
The new rules are an updated version of previous NIS regulations, introduced by the EU in 2018.
NIS2 essentially aims to build on the previous regulations and implement more robust cyber security and resilience standards among EU organizations, as well as more stringent reporting measures in the event of a security incident.
Under the updated regulations, all public and private entities operating in the EU will be required to adhere to new standards. The regulations specifically target organizations working in critical infrastructure sectors, such as energy, finance, and healthcare.
SailPoint’s study, based on a survey of 1,500 IT decision makers across the UK, France, and Germany, found that many UK firms have yet to even begin preparations for the new rules.
Four in five (80%) revealed they still need to properly secure supply chains while three-quarters (76%) said they have yet to assess the efficiency of existing cyber security measures.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Three-quarters of organizations also need to add new risk management measures (74%), implement HR security (76%), or provide cyber security training to staff (72%).
SailPoint warned that those who fail to comply with the new obligations could face harsh penalties. Organizations can face fines of up to €10 million for non-compliance, or the equivalent of 2% of their annual turnover.
“With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation,” said Stephen Bradford, senior vice president for EMEA at SailPoint.
“The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses."
Bradford said the current lax approach among some UK organizations bears similarities to the months preceding the implementation of the EU’s General Data Protection Regulation (GDPR).
Comply with multiple regulations and industry standards
DOWNLOAD NOW
He urged that businesses “must learn from GDPR” and use the next 12 months to ensure cyber resilience “is at the core of the business models” to avoid falling foul of the regulations.
This is particularly important given certain aspects of the regulations pertaining to personal liability.
Under the new rules, senior management could be held liable for cyber security failings and regulatory infringements if their organization does not comply with its obligations.
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.