35% of organizations believe the NIS Directive expectations are unclear

The European Union Agency for Cybersecurity (ENISA) released a report on information security spending for network and information services (NIS) under the NIS Directive, the first EU-wide legislation on cybersecurity.

The report is based on a survey of 251 organizations of operators of essential services and digital service providers from France, Germany, Italy, Spain and Poland. Eighty-two percent of those surveyed reported the NIS Directive had a positive effect on their information security.

NIS Directive implementation

The report provides input to the European Commission’s review of the NIS Directive on the 16th of December, four years after the Directive entered into force and two years after the transposition into national law.

Challenges remain after the implementation of the Directive – the lack of clarity of the NIS Directive expectations after transposition into national law was a common issue. More than 35% of organizations surveyed believe the NIS Directive expectations are unclear.

Twenty-two percent of respondents listed limited support from national authorities as one of their top challenges when implementing the Directive.

Cybersecurity investments: EU vs. US

When comparing organizations from the EU to organizations from the United States, the study shows that EU organizations allocate on average 41% less to information security than their US counterparts.

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, said: “This data indicates that the NIS Directive has been a great tool to drive investments, but recognises that certain gaps still exist, and a clearer strategic framework and more elaborated approach is needed. The review of the NIS Directive is timely and can therefore address these challenges — building a stronger network and information security framework.”

Key findings

• The average budget for NIS Directive implementation projects is approximately €175k, with 42.7% of affected organizations allocating between €100k and €250k. Slightly less than 50% of surveyed organizations had to hire additional security matter experts.
• Surveyed organizations prioritised the following security domains: Governance, Risk & Compliance and Network Security.
• When implementing the NIS Directive, 64% of surveyed organizations procured security incident & event log collection solutions, as well as security awareness & training services.
• “Unclear expectations” (35%) and “Limited support from the national authority” (22%) are among the top challenges faced by surveyed organizations when implementing the NIS Directive.
• 81% of the surveyed organizations have established a mechanism to report information security incidents to their national authority.
• 43% of surveyed organizations experienced information security incidents with a direct financial impact to up to €500k, while 15% experienced incidents with over half a million euro.