NIS2 compliance puts financial strain on EMEA firms

New directives under NIS2 are creating significant financial pressures for organisations in the EMEA region.

A recent survey conducted by Censuswide, commissioned by Veeam Software, highlights the financial strain many organisations face due to the implementation of the NIS2 cybersecurity directive. The survey found that 95% of organisations have had to redirect funds from other parts of their business to meet the costs associated with NIS2 compliance.

While 68% of companies reported securing the necessary additional budget for NIS2 compliance, 20% cited budget issues as a major obstacle. This budget has often come at a cost to other critical areas, with funds being taken from risk management (34%), recruitment (30%), crisis management (29%), and emergency reserves (25%).

"Securing adequate budget for cybersecurity is often a challenge for IT leaders, but the strict penalties and emphasis on corporate accountability from NIS2 may help ease that process," stated Edwin Weijdema, Field CTO EMEA at Veeam.

"However, as most IT budgets are either being cut or remaining stagnant—effectively shrinking due to rising business costs and inflation—NIS2 is pulling from an already limited pool. It's particularly concerning to see funds being redirected from recruitment and emergency reserves. NIS2 shouldn't be treated as a crisis, yet one in four businesses appears to view it that way."

The survey further emphasised the challenges faced by IT departments, where NIS2 ranked low on the priority list at number ten. IT leaders in the EMEA region face a multitude of challenges, with the skills gap (24%), profitability concerns (23%), digital transformation (23%), the rising cost of doing business (20%), and a lack of resources (20%) identified as the top five challenges. Organisations are conducting IT audits, reviewing cybersecurity processes, developing new policies, investing in technology, and increasing budget allocations to address these issues.

"Maintaining security and compliance is vital for any organisation, but the fact that it currently consumes most of the IT budget highlights how underprepared and under-resourced organisations are," remarked Andre Troskie, Field CISO EMEA at Veeam.

"IT leaders have limited budgets, yet still need to find the resources to meet NIS2 requirements quickly. Those who adopt a holistic approach to security and best practices before legislation mandates them will naturally face less pressure, allowing them to better address other key priorities and challenges."

Despite not being directly affected by NIS2, UK companies that engage in business with EU entities must also comply, leading to increased IT budget allocations. Since January 2023, 62% of UK-based IT decision-makers have reported budget increases, contrasting with 14% who reported cuts. This has allowed UK businesses to strengthen their security measures in anticipation of the directive's implementation.

Dan Middleton, Regional Vice President of the United Kingdom & Ireland at Veeam, expressed optimism: "Given their readiness to invest and improve, it's unsurprising that 90% of UK IT decision-makers feel confident in their ability to comply with regulatory requirements—the highest confidence in EMEA.

"This is good news ahead of the upcoming Cyber Security and Resilience Bill. While the details are yet to be released, any moves UK businesses make now to enhance their cyber and data resilience will benefit them when this regulation comes into force.

"This includes the planned investment by over one-third (36%) of UK respondents in upskilling existing employees, which will help tackle the growing skills gap, an issue putting a third (30%) of UK businesses under more pressure than any other common IT challenge."