A study carried out by the IRIS Group for Industriens Fond on Danish organizations affected by the NIS2 Directive investigated their compliance readiness.
We analyzed the survey responses they collected to understand the companies’ current level of awareness and familiarity with the Directive, the maturity of their compliance programs, and the specific requirements they are struggling with the most.
Check out the findings below!
Unlike EU regulations, which are directly applicable in Member States after they enter into force, EU directives must first be transposed into national laws by each Member State before becoming enforceable for the companies impacted. For the NIS2 Directive, the deadline for Member States to implement the corresponding national legislation is October 17th, 2024; and these local measures should then apply from the following day, October 18th, 2024.
Regardless of the specific official deadline for obliged entities to comply with the new requirements (that could vary depending on the national laws adopted in each of the entities’ locations), companies falling into the scope of NIS2 should start preparing themselves to address the new requirements to avoid risking compliance violations (and fines).
As part of the survey, the companies interviewed were asked about their compliance readiness level regarding their cybersecurity risk-management measures, as described by Article 21(2) of the Directive.
Article 21(2) lists ten elements that should be included in a company’s technical, operational, and organizational measures to manage the risks posed to the security of their IT systems and OT networks and to prevent or minimize the impact of incidents.
Additionally, the Directive requires such measures to be implemented in each impacted company using a risk-based approach, so that they are appropriate to the specific threats faced by the organization. This means that an organization’s measures should be proportionate to its size, level of exposure to risks, and likelihood of occurrence of incidents (as well as their potential severity).
When asked about their current capabilities to fulfill the requirements laid down by Article 21(2), only 29,2% of companies surveyed claimed to be ready to meet all of them. The remaining 70,8% admitted that their current measures only abide by some of them.
In particular, the requirements companies are having more difficulties with are related to:
Offering a glimpse into how well Danish companies are prepared and mature in adhering to the NIS2 Directive, the data reveal that there are still plenty of opportunities to improve.
Although there is a degree of awareness and initial preparation in place, there is also a clear need for clarifying the directive’s scope and strengthening the understanding of its rules – especially in the areas of supply chain security and effectiveness assessment.
While this snapshot refers to organizations based in Denmark, we can presume that a similar picture is playing out in other countries around Europe, and the world. And while impacted entities still have some time to prepare for the entry into force of the NIS2 requirements, it is advisable for OT and IT leaders and operators to start exploring the regulatory framework and planning their compliance strategy.
Companies need to proactively engage with the NIS2 Directive to protect their critical infrastructure and digital assets, thereby contributing to the overall resilience of the national and global network and information systems.
Besides, failing to achieve compliance could leave them open to the risk of facing administrative fines – as well as reputational risk, compromising their competitive positioning and market share.
Secomea’s solutions are up to date with the latest regulatory developments in the industry to help you achieve and maintain ongoing compliance.
We want to help you be well-prepared for a compliance inspection and ensure a smooth process that will safeguard your organization’s security and reputation.
Watch our webinar on-demand to gain essential insights and expert guidance – and reach out to learn more!