Organizations rethink cybersecurity investments to meet NIS Directive requirements

Despite a 25% increase of the cost of major cyber incidents in 2022 compared to 2021, the new report on cybersecurity investment from ENISA reveals a slight increase of 0,4% of IT budget dedicated to cybersecurity by EU operators in scope of the NIS Directive.

Organizations face information security recruitment challenges

However, if organizations are inclined to allocate more budget to cybersecurity, 47% of the total of organizations surveyed do not plan to hire information security Full Time Equivalents (FTEs) in the next two years. Besides, 83% of these organizations claim recruitment difficulties in at least one information security domain. Such hiring issues surfacing in the report could be one of the factors when it comes to managing vulnerabilities.

Indeed, an analysis on patching of critical IT and OT assets in the transport sector shows that 51% of the organizations in the transport sector need one month to patch critical vulnerabilities and 21% need a time between 1 month and six months. Only 28% of the surveyed organizations fix critical vulnerabilities on critical assets in one week.

“Allocating sufficient budgetary and human resources to cybersecurity is key to our success. Managing vulnerabilities is essential and must go hand-in-hand with “secure by design” initiatives. In the meantime, we do need to continually invest in areas such as identifying, managing and reporting vulnerabilities that can have an impact on the security of the whole Digital Single Market,” said Juhan Lepassaar, Executive Director, EU Agency for Cybersecurity.

For the purpose of the analysis published, the survey performed looked at Operators of Essential Services (OES) and Digital Services Providers (DSP) as identified in the European Union’s Directive on Network and Information Security Systems (NIS Directive). The objective of the report was to identify how organization invest in cybersecurity in relation to the objective of meeting the requirements set by the initial NIS Directive.

However, the concept of investment also extends to the human element. 2023 is the European Year of Skills. This is why particular emphasis was placed on the topic of cybersecurity skills among OES and DSPs and to cybersecurity workforce hiring and gender balance.

NIS Directive as the main driver for cybersecurity investments

The part of IT budget OES/DSPs dedicated to cybersecurity reached 7,1% in 2022, representing an increase of 0,4% compared to 2021. 42% of OES/DSPs subscribed to a dedicated cyber insurance solution in 2022, representing a 30% increase from 2021. Still only 13% of SMEs subscribe to cyber insurance.

OES/DSPs allocate 11,9% of their IT FTEs for information security (IS) a decrease of 0,1%. OES/DSPs employ an average of 11% of women in IS FTEs. With median being at zero percent most of surveyed organisations do not employ any women as part of their IS FTEs.

The NIS Directive is the main driver for cybersecurity investments for 55% of OES in the transport sector. 51% of the transport organizations manage OT security with the same unit or people as IT cybersecurity.

Vulnerability management describes the process to identify and assess the associated risk of security vulnerabilities in order to resolve the cause before these can be exploited or intelligently reduce the risk of it by implementing adequate mitigation measures.

Managing vulnerabilities and ensuring patches are available protects the end-users and helps to ensure security is applied across the whole lifecycle of any product. The 2022 edition of the NIS Investments report found that for 46 % of organizations surveyed it takes more than 1 month to patch critical vulnerabilities.

Improving interoperability, automation and streamlined processes in order to exchange information can go a long way towards ensuring vulnerability disclosure. At the same time, vendors need to have the appropriate tools, processes and people in place to implement secure-by-design practices in order to reduce the risk for users, whereas organizations are responsible to reduce the time between the disclosure of vulnerabilities and their remediation by enabling tooling for automated vulnerability information sharing.

EU vulnerability coordination and vulnerability database

The NIS2 establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and ICT services, to be operated and maintained by the EU agency for cybersecurity (ENISA).

The combination of national and EU efforts will form the basis for a mature vulnerability disclosure ecosystem within the EU. Importantly, these initiatives will contribute to an enhanced vulnerability management landscape.

The EU cybersecurity policy framework includes a number of proposed policy files. These include the Cyber Resilience Act (CRA) and the Cyber Solidarity Act (CSoA) which include provisions that propose to further improve vulnerability management in the EU, such as additional measures ensuring the quality of products and services that will contribute to the application of security aspects throughout the entire product lifecycle.

The objective of the Directive on Security of Network and Information Systems (NIS Directive) is to achieve a high common level of cybersecurity across all Member States. The revised directive known as NIS2 came into force on 16 January 2023 extended the scope to new economic sectors.

One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for OES and DSP.

OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries).

DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.