NIS Directive has Positive Effect, though Study Finds Gaps in Cybersecurity Investment Exist

The European Union Agency for Cybersecurity (ENISA) released a new report on information security spending for network and information services (NIS) under the NIS Directive, the first EU-wide legislation on cybersecurity. The NIS Investments report is based on a survey of 251 organisations of operators of essential services (OES) and digital service providers (DSP) from France, Germany, Italy, Spain and Poland. Eighty-two percent of those surveyed reported the NIS Directive had a positive effect on their information security.

The new ENISA study examining cybersecurity spending states that 82% of Operators of Essential Services and Digital Services Providers find that the NIS Directive has a positive effect. However, gaps in investment still exist. When comparing organisations from the EU to those from the United States, data shows that EU organisations allocate on average 41% less to cybersecurity than their US counterparts.

NIS Directive Implementation

The report provides input to the European Commission’s review of the NIS Directive on the 16th of December, four years after the Directive entered into force and two years after the transposition into national law.

Challenges remain after the implementation of the Directive -- the lack of clarity of the NIS Directive expectations after transposition into national law was a common issue. More than 35% of organisations surveyed believe the NIS Directive expectations are unclear. Twenty-two percent of respondents listed limited support from national authorities as one of their top challenges when implementing the Directive.

Cybersecurity Investments: EU vs. US

When comparing organisations from the EU to organisations from the United States, the study shows that EU organisations allocate on average 41% less to information security than their US counterparts.

Key findings about the NIS Directive implementation in the NIS Investment report

- The average budget for NIS Directive implementation projects is approximately €175k, with 42.7% of affected organisations allocating between €100k and €250k. Slightly less than 50% of surveyed organisations had to hire additional security matter experts.

- Surveyed organisations prioritised the following security domains: Governance, Risk & Compliance and Network Security.

- When implementing the NIS Directive, 64% of surveyed organisations procured security incident & event log collection solutions, as well as security awareness & training services.

- “Unclear expectations” (35%)  and “Limited support from the national authority” (22%) are among the top challenges faced by surveyed organisations when implementing the NIS Directive.

- 81% of the surveyed organisations have established a mechanism to report information security incidents to their national authority.

- 43% of surveyed organisations experienced information security incidents with a direct financial impact to up to €500k, while 15% experienced incidents with over half a million euro.