Overconfidence may be preventing European businesses from acting now to become NIS 2 compliant

Traditionally, organizations tend to be reactive in their attempt to combat evolving cybersecurity attacks, relying on the chances of themselves being the target as low and then evolving with the wider industry. However, with the advent of AI, the threat landscape is only getting larger and malware actors are able to exploit even the smallest gap in a security framework.

This reactive mindset needs to change quickly, and new regulations such as the NIS 2 Directive and DORA are being implemented to force a proactive approach to security processes. For example, NIS 2 aims to improve basic cyber hygiene across critical infrastructure sectors across Europe by forcing relevant organizations to review and upgrade their current frameworks and encourage preventative rather than mitigative measures.

But how can technology support businesses to improve their security standards and how can Zscaler provide the assistance leadership needs to reach compliance within the October deadline? In April 2024, Zscaler commissioned a cross-industry survey of over 875 IT leaders across six European markets to understand where organizations are in their journey to becoming NIS 2 compliant. 

IT leaders confident in reaching compliance

IT leaders are confident that their organizations will be able to reach NIS 2 compliance ahead of the October 17th deadline – with four-fifths (80%) of those surveyed believing this to be the case. Meanwhile, 14% of surveyed decision makers claim to have already met them months ahead of the deadline.

And it isn’t just IT teams who are focusing on the regulations. A third (32%) of IT leaders confirm that NIS 2 regulations are currently one of their leadership team’s top priorities and 52% say they are becoming a higher priority – with primary ownership for driving compliance efforts split between the CIO (22%), CEO (20%) and CISO (20%).

The confidence level of reaching compliance in time is high and IT teams have the backing of leadership teams who recognize the importance of such regulations for cybersecurity success. But is there more to this picture than first meets the eye?

Confidence doesn’t correlate with understanding

Despite IT leaders’ strong belief that their organizations will reach compliance within the deadline, the survey suggests that this confidence may be built on shaky foundations. Only half of the respondents (53%) believe their teams fully understand what the requirements for NIS 2 compliance are. This drops to 49% when asked if they felt leadership fully understood the requirements. Without this knowledge, there is a real risk that organizations will miss something in their NIS 2 approach and find themselves scrambling at the last minute to complete a necessary task, if they don’t want to risk heavy non-compliance fines. 

The report also highlighted a disconnect between how the directive is being positioned and how IT leaders might view it. NIS 2 is being positioned as a directive to improve foundational security and as an extension of the existing NIS framework. However, nearly two-thirds (62%) of those surveyed believe it represents a significant departure from their current strategy. This suggests that many businesses have not been keeping up with evolving technology solutions and have been getting away with maintaining the bare minimum security requirements for as long as they could. 

This assumption is affirmed by the fact that only a third (32%) of IT leaders rated their existing cyber hygiene as excellent, and two-fifths said that their organization has yet to implement a zero trust architecture as part of its cybersecurity approach. 

This leaves organizations with significant ground to make up in the remaining month before the directive is turned into local laws at country level across Europe. Three particular areas that IT leaders identified as needing major change to become compliant were updating their technology stack or cybersecurity solutions and educating both employees and leadership. Respondents also noted three areas of the directive which are causing them the biggest challenge: Security in network and information systems (31%), basic cyber hygiene practices and training (30%), and policies and procedures to the effectiveness of cyber security risk-management measures (29%).

The survey findings suggest that many businesses across Europe aren’t as far along with their current cybersecurity standards as they should be, and that immediate action is needed to help them achieve the necessary foundational changes within the time available. But how can organizations move to action in the most efficient and effective way possible?

Building compliance into your security reviews

Traditionally, IT teams would implement new technology on top of their current stack and flip a switch to tick the compliance box. Today, that isn’t enough to protect a digital estate with the regulatory environment being more focused on the framework and risk rather than a specific technology. Instead, IT teams should be aiming to remove and simplify their technology stack, enabling them to become more agile and capable of updating their organizational environment at a faster pace. However, that doesn’t mean that technology has a lesser role to play in compliance efforts. In fact, 44% of IT leaders believe that tools and services are critical to a successful NIS 2 implementation. 

Government directives like NIS 2 force organizations to review their current security processes and, if necessary, move them up to what is now considered to be the current base layer of protection. Those regulatory initiatives don’t target cybersecurity excellence. While it is possible therefore to be wholly NIS 2 compliant on paper, organizations who approach it with this end-goal alone might end up having a low level of operational security. 

A change in mindset is required to raise the security posture of IT in the digital age and move organizations from mitigating threats in progress to building a holistic overview of their environment that enables them to identify areas of risk ahead of time. To do this, IT teams must connect their multiple technologies and tools into one solution platform, such as Zscaler’s Zero Trust Exchange. This will help organizations to reduce technology complexity by controlling permissions and monitoring digital traffic through one source and identify and respond to threat actors, minimizing potential damage and impact of attacks.

Implementing a zero trust architecture helps to reduce an organization's attack surface, prevents lateral movement, and allows organizations to securely connect the right user to the right application without exposing their networks to the internet. This significantly mitigates the risk of attacks while helping organizations meet NIS 2’s mandates for secure data handling, access controls, and incident management. 

Zscaler can support compliance initiatives with the following security services:

Zscaler Internet Access™ and Zscaler Private Access™ deliver threat protection, data protection, and policy enforcement by controlling traffic flows while providing security event and transaction logs used for security monitoring and investigation.

Attack surface mitigation through the Zero Trust Exchange platform ensures that users are never placed on the network and applications are never exposed to the internet, significantly reducing the attack surface. In addition, it provides full access control policy to internal applications.

Zscaler Risk360™ enables continuous monitoring and vulnerability detection, allowing organizations to proactively address security risks.

Organizations must ensure compliance audits become part of an ongoing cycle for security teams in order to stay ahead of threat actors and ensure their security infrastructure is fit-for-purpose at all times. Doing this will give organizations a significant business advantage over competitors as compliance will become easier, cheaper and lead to risk savings in the long-term.

To learn more about how Zscaler can help support your business to NIS 2 compliance safely and efficiently, please visit: https://www.zscaler.com/platform/zero-trust-exchange