21 November 2024
Senior cybersecurity professionals at more than a fifth of the UK’s largest businesses are – still – ‘not sure’ whether the EU’s NIS2 directive even applies to their organisation, according to new research by Green Raven Limited..jpg?lu=471)
More than two-thirds of respondents at organisations with at least 1,000 employees said that NIS2 does apply to them, but almost 10% of these admitted that their organisation was not compliant as of the 17 October deadline – with a further 3% not sure. The findings contradict previous research from June 2024, in which 97% of IT leaders at UK companies declared themselves confident that they would be, or already were, NIS2-compliant.
“NIS2 came into force in January 2023 – almost two years ago – so for senior cybersecurity professionals at the companies most likely to be impacted to not know if it even applies… wow. Saying yes, we’re compliant may be acceptable; admitting that no, we’re not compliant but we’re working on it may also be acceptable– assuming there may be a grace period when new regulations come into force,” said Morten Mjels, CEO of Green Raven Limited. “But, eventually, failure to be compliant is going to significantly impact the ability of these organisations to do business in Europe, or is going to attract a significant fine for doing business in Europe without being compliant. And saying ‘we weren’t sure’ is unlikely to be much of a defence.”
The research also asked respondents for their reaction to the Cyber Security and Resilience Bill, trailed by the UK Government in July 2024’s King’s Speech. This new bill is expected to build upon the foundations laid by the EU’s Network and Information Systems (NIS) directive and is commonly seen as the UK’s response to the NIS2 directive.
Asked to react based on what they had heard or read about the new Act, 37% of respondents hope that the new Cyber Security and Resilience Bill won’t apply to their organisation, but almost 80% expect that it will; 46% of respondents expect the bill to make unwanted demands of UK businesses, but over 82% expected the bill to make reasonable demands of UK businesses. A similar proportion agreed that the bill would make necessary demands of UK businesses; and almost 88% of respondents agreed with the statement ‘The UK Cyber Security and Resilience Bill will improve the UK's overall cyber resilience.’ Not a single respondent disagreed with the statement, despite the acknowledgement of the additional demands and overheads the new bill is likely to bring.
“While few details are known beyond the idea that it will be the UK’s equivalent of NIS2, the key takeaway from the research is that every cybersecurity professional asked clearly believes that there is more that organisations can, and will, be forced – via legislation – to do to improve their cybersecurity posture and resilience. As a cybersecurity professional in an organisation likely to be in scope, I wouldn’t be waiting for legislation,” said Mjels.
