According to a study by Veeam, eight out of ten companies are confident that they will comply with the NIS law, but two out of three companies do not believe they will meet the deadline. There are also conflicting opinions about the effects of the law.

NIS2 is getting closer: the legislation comes into force on October 18th. Veeam thought it was a good time to pre-interview more than five hundred IT decision makers from Belgium, France, Germany, the Netherlands and the United Kingdom. For many organizations, all hands are needed to meet the deadline.

Two out of three respondents fear their organization will not meet the deadline. Various reasons are given for this. The most commonly cited challenges are technical debt (24%), lack of leadership understanding (23%) and inadequate budgets/investments (21%). Four in ten organizations report that their IT budget has decreased since the announcement of NIS2.

Doubts about the effect

Not all IT leaders seem convinced of the impact of NIS2. 74 percent of respondents consider NIS2 useful, but 57 percent doubt its significant impact on the EU’s cybersecurity level. NIS2 is therefore not at the top of the priority list for most respondents.

Skeptics cite other barriers such as the lack of completeness of NIS2 (35%), the belief that compliance is not a guarantee of security (34%) and overlap with existing regulations (25%). 42 percent of respondents who believe NIS2 is unimportant attribute this to inadequate consequences for non-compliance. At the same time, 62 percent describe NIS2 as “strict”.

“NIS2 takes responsibility for cybersecurity from the IT department all the way up to executives. Many organizations recognize the importance of this policy but are struggling to comply with the requirements in a timely manner, indicating major systemic problems. The combined pressures of other business priorities and IT challenges may explain the delay, but that does not reduce the urgency,” said Andre Troskie, EMEA Field CTO at Veeam, commenting on the findings.