NIS2: Small Carrot, Big Stick

NIS2 represents one of the most significant advancements in the EU's cybersecurity landscape. I fully support its implementation and aspire to see the EU and businesses become more secure, resilient, and prosperous. Looking ahead, I hope that in five years, we can point to remarkable statistics and success stories demonstrating how NIS2 has transformed the cybersecurity environment and positively impacted our economy.

But.

When I put the BISO hat on, being neutral, there is another reality that we need to explore.

Note: when I say EU, it’s all of us, not a particular/specific institution.

Again, to avoid controversy or misunderstanding, I believe NIS2 can enhance resilience across the EU. Still, it lacks positive reinforcement, and there’s too little emphasis on benefits like improved competitiveness or public recognition for achieving high cybersecurity standards.

And the stick? The financial penalties for non-compliance are substantial. Under NIS2, fines can reach up to €10 million or 2% of an organization's global turnover.

One of the most debated aspects of NIS2 is whether it functions as a form of indirect taxation on businesses. Compliance with the directive demands significant financial resources, including investments in technology, personnel training, and ongoing operational adjustments. For many, these costs feel obligatory and disproportionate, particularly for organizations that consider themselves unlikely targets of sophisticated cyberattacks (even if they are).

First, let’s define SME in the NIS2 context:

• Small enterprises: Fewer than 50 employees and an annual turnover or balance sheet total not exceeding €10 million.

• Medium enterprises: Fewer than 250 employees and an annual turnover not exceeding €50 million or a balance sheet total not exceeding €43 million.

NIS2 primarily targets medium-sized and large organizations operating in critical sectors like energy, healthcare, transportation, and financial services. According to an ENISA report, these are also the most targeted sectors in the EU.

Why does it feel like a business taxation?

1. Compliance is non-negotiable, requiring organizations to allocate resources regardless of perceived risks.

2. The directive imposes steep fines for non-compliance, reinforcing the perception of a financial levy.

3. The financial strain is far more significant for small and medium-sized enterprises (SMEs) than large corporations with substantial cybersecurity budgets. The European Commission's impact assessment anticipates that companies must increase their cybersecurity spending by up to 22% in the initial years following NIS2's implementation. Wallix

Why SMEs Matter?

• According to the European Commission, SMEs (Small and Medium-sized Enterprises) make up 99% of all businesses in the EU.

• According to recent statistics, approximately 22.6 million SMEs operate across the EU.

• SMEs are the largest employers in the EU, accounting for two-thirds (approximately 66%) of total employment in the region.

• SMEs contribute to 53% of the total Gross Value Added (GVA) in the EU, demonstrating their significant role in economic productivity.

• A European Investment Bank (EIB) survey found that 62% of SMEs cite access to finance as a critical barrier, underscoring their reliance on supportive policies and funding.

Supporting SMEs with NIS2 implementation is a critical step. Continue reading to explore support and funding opportunities and my key recommendations.

Current Economic and Political Landscape

Economic Challenges

The European economy is navigating a period of instability. Inflation continues to rise, and energy costs remain elevated, squeezing the margins of businesses grappling with reduced consumer spending. This economic backdrop complicates the implementation of NIS2, as organizations find themselves juggling competing priorities for limited resources.

The financial constraints are particularly pronounced for SMEs, which form the backbone of the EU economy. Unlike larger corporations, these businesses often lack dedicated cybersecurity teams and the capacity to absorb significant compliance costs. Without external support, they risk falling behind, both in terms of compliance and competitiveness.

Political Considerations

The geopolitical climate further emphasizes the need for robust cybersecurity. Rising international tensions have amplified the frequency and sophistication of cyberattacks targeting critical infrastructure within the EU. These attacks threaten individual organizations, national security, and regional stability.

Upcoming elections across several EU member states add another layer of complexity. Political transitions can influence cybersecurity priorities, funding allocations, and the enforcement of directives like NIS2.

While the directive is designed to be a long-term safeguard, its implementation will be shaped by short-term political dynamics.

The Evolution of EU Cybersecurity: From NIS to NIS2

The Lessons of NIS

Adopted in 2016, the original NIS Directive marked the EU’s first unified approach to cybersecurity. While groundbreaking, its implementation exposed significant gaps:

1. Member states varied widely in their application of the directive, leading to uneven levels of protection.

2. The identification and supervision of Operators of Essential Services (OES) were inconsistent, with some countries allocating far more resources than others.

3. On average, EU organizations allocated 41% less to cybersecurity than their U.S. counterparts. EPRS: The NIS2 Directive

ENISA Key Findings

• The average NIS implementation budget was approximately €175,000, with many organizations struggling to meet this modest figure.

• Limited support from national authorities and unclear expectations created additional challenges.

• Nearly half of surveyed organizations experienced cybersecurity incidents, with financial impacts reaching €500,000 or more in some cases. ENISA

NIS2: Where We Are Today

NIS2 builds on the lessons of its predecessor, addressing fragmentation and establishing a more robust framework for cybersecurity across the EU. Member states were required to transpose NIS2 into national law by October 2024, but progress varies widely:

1. Fully Transposed: Countries like Belgium, Croatia, Lithuania, and Romania have enacted legislation aligned with NIS2. Orrick

2. In Progress: Nations like Germany, Sweden, and France are still reviewing or drafting legislation, with implementation expected this year. Truid

3. Delayed Implementation: Several member states have missed the transposition deadline, prompting the European Commission to initiate infringement proceedings.

What’s Next? By April 2025, member states must identify essential and significant entities under the scope of NIS2. Businesses operating in critical sectors, from energy and healthcare to banking and digital infrastructure, must assess their obligations and take steps toward compliance. There is also the option to self-register. We will see how this plays out.

The Cost of Compliance

At the heart of these requirements lies the need for cutting-edge technology. Organizations must deploy advanced tools such as firewalls, intrusion detection systems, and endpoint protection solutions to meet the directive's stringent standards. These technologies are not merely optional upgrades but foundational defenses against increasingly sophisticated cyber threats.

However, technology alone is insufficient. The human element is equally critical. Businesses must support their cybersecurity teams, hire skilled professionals, and provide comprehensive training for existing staff. This will ensure that employees are equipped to navigate the complexities of NIS2 compliance and respond effectively to potential threats.

Transparency and accountability are also key pillars of the directive. Organizations are required to establish robust mechanisms for reporting cybersecurity incidents, enabling swift responses and fostering trust among stakeholders. These systems must be meticulously designed to capture and communicate critical information without delays.

Lastly, the journey to compliance is not a one-time effort but an ongoing commitment. Regular audits and assessments are pivotal in maintaining alignment with NIS2 requirements. These evaluations help businesses identify gaps, refine strategies, and reinforce their resilience against evolving threats.

While these measures will undoubtedly make businesses more resilient and increase their chances of remaining competitive in the market, I find it hard to believe that companies will allocate up to a quarter of their limited budgets solely to comply with NIS2 regulations, even when faced with potential penalties and fines.

In my experience, companies are likely to forgo such expenditures if they don’t perceive a clear return on their investment. Small carrot, big stick. And, when faced with choosing between a 20% investment or 2% penalty, the choice is clear. It is like asking a hospital manager to choose between an antivirus and antibiotics.

Looking ahead, the primary challenge seems to be that, one way or another, it’s the consumer/citizen who will bear the cost:

• If a company invests in NIS2 compliance, that expense will likely be passed on to customers through higher prices for goods or services.

• If they choose not to invest and a breach occurs, consumers/citizens will ultimately pay the price with their personal data, becoming targets and, in some cases, victims.

Support and Funding Opportunities

To ease the burden on businesses, the EU offers several initiatives:

1. ENISA Resources: Comprehensive guidance on compliance, risk management, and incident reporting.

2. Funding Programs:

   1. Digital Europe Programme: Supports cybersecurity infrastructure projects.

   2. Horizon Europe: Funds research and innovation in cybersecurity.

   3. National Initiatives: Some governments are exploring tax incentives or partnerships to support compliance efforts.

But is this enough?

The Way Forward

For NIS2 to succeed, the active involvement of the EU and national governments is vital. Governments must take a leadership role in fostering collaboration between businesses, public institutions, and local organizations.

Based on the knowledge that I have related to EU programs and initiatives, my key recommendations, along with actionable steps, are as follows:

Increased National and EU Funding

·      Allocate a specific percentage of national and EU budgets to cybersecurity initiatives, with targeted funding for NIS2 compliance.

·      Establish dedicated grants and subsidies to support small and medium-sized enterprises (SMEs) implementing robust cybersecurity measures.

·      Promote transparency in how these funds are allocated to ensure they directly contribute to enhancing national resilience.

Public-Private Partnerships

·      Incentivize private sector participation by providing tax benefits or other financial support for companies contributing to collective cybersecurity efforts.

Capacity Building Through Education and Training

1. Launch EU-Backed Initiatives

• Establish EU-wide scholarship programs to attract students to pursue cybersecurity careers, focusing on underrepresented groups to promote diversity.

  • Leverage and expand initiatives like the Erasmus+ Program to include specialized cybersecurity tracks, offering mobility opportunities for students to study in countries with leading expertise.

• Partner with businesses and cybersecurity organizations to create apprenticeship schemes that provide hands-on experience to new professionals.

  • Use platforms like EU4Digital to connect young professionals with internship opportunities across member states.

• Develop intensive boot camps and workshops supported by the EU, focusing on emerging threats, NIS2 compliance, and innovative technologies like AI and IoT security.

  
  

2. Partner with Universities and Technical Institutions

• Collaborate with universities and technical schools to create standardized, NIS2-aligned cybersecurity curricula that meet the real-world needs of businesses and public institutions.

  • Build upon the EU’s Digital Skills and Jobs Coalition by including dedicated resources for academic institutions to design industry-relevant programs.

• Encourage joint research projects between academia and industry to drive cybersecurity innovation and develop cutting-edge compliance and threat management tools.

  • Expand initiatives like Horizon Europe to fund cybersecurity research and technology transfer.

    
    

3. Offer Government-Sponsored Certifications and Programs

• Introduce government-backed, EU-recognized certifications for cybersecurity professionals that validate NIS2 compliance and advanced threat management expertise.

  • Build on the success of existing frameworks like ENISA’s cybersecurity certification schemes.

• Provide subsidies for businesses to enroll employees in reskilling programs, ensuring the current workforce is prepared for new cybersecurity challenges.

  • Funds from the Digital Europe Programme can be used to subsidize workforce training in critical areas.

• Add an accelerated NIS2 Training program backed by EU funds, coordinated by national entities, to support businesses with NIS2 implementation.  

• Support lifelong learning programs for cybersecurity professionals to stay updated on evolving regulations and technologies, enabling them to effectively adapt to new threats and requirements.

Epilogue

·      NIS2 can be a catalyst for the EU economy and the future of democracy

·      Unfortunately, I don’t foresee the expected success in adoption/compliance

·      Most companies have more significant problems today than worrying about NIS2

·      Without investments:

• The gap between SMEs and large corporations will widen even more

• Innovation might take a step back (as SMEs are hubs for innovation)

  • We have already seen this with GDPR

·      Limited support from national authorities continues to be a big challenge.

·      Businesses must choose between non-compliance fines and ransomware

Time will tell.