Why Are Firms Failing with NIS2 Compliance?

Danny Bradbury asks what the main roadblocks to NIS2 compliance are for UK firms, and how they can surmount them

The EU’s NIS2 cybersecurity directive is already in force, but many in-scope organisations are struggling to get in line. Some are finding it challenging to meet rigorous new rules designed to improve their cyber resilience. Others may have pushed compliance down the priority list.

Yet this is one of the most significant cybersecurity events in a region famed for its strict regulatory landscape. What gives? A new ENISA study has some answers.

A history of NIS2

NIS2 is the successor to the EU’s original 2016 Network and Information Security (NIS) Directive. It aims to strengthen and harmonise cybersecurity rules across the EU, evolving them to handle a more complex threat landscape.

One of the biggest changes in the new directive involves an expanded scope. NIS originally applied to operators of essential services (OES) and digital service providers, leaving the details to member states. NIS2 widens that to 10 sectors including public administration, food production, and even the space industry. These include many sub-sectors, and member states don’t have the same latitude when defining sectoral scope.

“There are probably bigger priorities right now” Morten Mjels

It also carves out two new categories of provider: “Essential Entities” (EEs) such as large hospitals and energy providers, and “Important Entities” (IEs), such as medium-sized digital providers and manufacturing firms.

NIS2 introduces stricter compliance requirements, including mandatory initial incident notification within 24 hours, and specific risk management obligations in areas like vulnerability handling, encryption, and supply chain security, the latter of which wasn’t an explicit requirement in NIS.

Those who falter face serious penalties; EEs could pay up to €10m (£8.6m) or 2% of global revenue, while IEs could fork over up to €7m or 1.4% of global revenue. Notably, NIS2 includes personal liability provisions, enabling authorities to suspend directors and senior managers from duty.

Some sectors could try harder

While NIS2 is designed to help protect the broader community, research suggests that many organisations are handling compliance very well. The EU Agency for Cybersecurity (ENISA) recently studied the maturity levels of organisations across different sectors and sub-sectors in the EU.

“Some sectors grapple with legacy equipment that is a barrier to change”

The results were concerning, placing six industries in what it called the “risk zone”. The criticality score for these sectors was higher than their cybersecurity maturity score. The latter was relatively low, ranking in the lower half among all sectors.

Those on the naughty list were ICT service management, health, gas, maritime, public administration, and space.

Other sectors also scored low on the cybersecurity maturity scale but ENISA viewed them as less critical to society. For example, waste water was the least mature, but also had the lowest criticality score. It’s worth noting, though, that the waste water management sector’s criticality score almost outweighed its maturity score.

A lack of awareness

The inclusion of six critical infrastructure sectors or sub-sectors in ENISA’s risk zone is a significant shortcoming at a time when the EU is doing its best to bolster cybersecurity across the board. This isn’t the only research to highlight problems.

A survey of 200 senior cybersecurity executives conducted last year by cybersecurity consultancy Green Raven found 10% of companies admitting that they were not compliant by the October 17 2024 deadline. In fact, over a fifth of senior cybersecurity professionals at large UK firms were unsure whether NIS2 even applied to them.

“I’d say there’s been a belated awareness and level of compliance across the EU in terms of NIS2″ Sarah Pearce

“Generally speaking, I’d say there’s been a belated awareness and level of compliance across the EU in terms of NIS2,” says Sarah Pearce, partner at legal firm Hunton Andrews Kurth.

Those who falter are likely to be affected. Zscaler has previously pointed out that not only does the directive cover over 160,000 organisations in the EU, but it also affects any company in the world providing services to those organisations.

“Eventually, failure to be compliant is going to significantly impact the ability of these organisations to do business in Europe,” says Green Raven’s CEO Morten Mjels.

Many aren’t used to strict regulation

So what’s the holdup? ENISA suggests that many industries in the directive’s expanded scope that haven’t had to grapple with strict regulation before are at a disadvantage. Some, like electricity, are more likely to be subject to existing cybersecurity policy frameworks than others, and get more support and oversight from regulatory agencies. This often stems from greater political scrutiny.

“I think it’s fair to say that those organisations within sectors that have had incident reporting requirements and the like and that are regulated are fairly well prepared,” Pearce says. “I’m thinking here about banking and telecoms, for example.”

Some sectors also grapple with legacy equipment that is a barrier to change, point out experts.

“Many sectors rely on operational technology systems that were not designed with modern cybersecurity threats in mind,” says Tim Wright, partner at legal firm Fladgate. “Securing these systems while maintaining operational continuity is a major hurdle, compounded by lack of resources or skilled personnel.”

A slow transition to national law

The other potential spanner in the works is that enforcement of NIS2 depends on its implementation in national law, and that is taking time. The EU launched infringement proceedings against 23 Member States for failing to implement NIS2 locally by the compliance deadline, and only 10 have done at the time of writing.

That makes NIS2 compliance less of a priority for some companies, says Edwin Weijdema, field CTO and global technologies at storage company Veeam. “I’ve been hearing that a lot of companies are just putting it on the back burner because there’s so much other stuff they’ve got to deal with at the moment,” he tells Assured Intelligence.

“Sectors on the naughty list are ICT service management, health, gas, maritime, public administration, and space”

As a non-member of the EU, the UK doesn’t have to implement NIS2. It does have a bill in the works – the Cyber Security and Resilience Bill – although there is no confirmed timeline for when it might become law.

In the meantime, companies have other pressures to think about. Tariffs spring to mind. “When you have a nice, stable relationship between countries, then the economy flourishes,” says Green Raven’s Mjels. “There are probably bigger priorities right now.”

What next?

It’s understandable that companies facing economic pressures might not be focusing on NIS2, but the pressure is mounting, says Veeam’s Weijdema, not least because of the supply chain focus. As they gear up for compliance, more companies will be scrutinising their suppliers’ status, he warns.

So what can CISOs do to prepare their organisations for what’s coming?

“CISOs can take immediate steps such as gap analysis, incident response planning, and supply chain security evaluations,” says Fladgate’s Wright. “Adopting long-term strategies like continuous compliance practices and advanced risk management frameworks will enhance overall cybersecurity resilience.”

The highly interconnected nature of modern supply chains means that, even for businesses on this side of the channel, EU directives in the mirror might be closer than they appear.