NIS2: Why are firms struggling to comply?

It’s been some time since the Network and Information Systems 2 (NIS2) Directive (NIS2) came into force in the EU but many organizations are still struggling to comply. So much so that the EU’s leading security agency ENISA has issued a stark warning after finding that six critical national infrastructure (CNI) sectors are failing in their implementation of the directive.

ENISA found a need to align requirements across borders in each NIS sector. It said that collaboration must be strengthened through community building events and cooperation at sector, national and EU level.

Some industries are more far behind others, according to the report, which calls out six sectors struggling to meet the expectations of NIS2: ICT service management, space, public administrations, maritime, gas and health.

So why is NIS2 compliance causing so many headaches and what can security leaders do about it?

Challenged sectors

Some sectors were not equipped to deal with NIS2’s cybersecurity requirements in the first place. Certain industries are struggling due to complex and outdated infrastructure, a lack of sector-specific guidance and “insufficient investment in cybersecurity measures”, says Matt Riley, director for information security at Sharp UK and Europe.

All the highlighted sectors in ENISA’s report share common challenges, says John Lynch, director at Kiteworks: “Complex supply chains with numerous third-party data exchanges, limited visibility into how sensitive data moves between entities, and difficulty implementing the governance controls required by NIS2 for secure data sharing across organizational boundaries.”

One of the most affected sectors is ICT service management, which faces difficulties due to its cross-border nature and the “vast number of diverse entities” involved, says Vincent Lomba, chief technical security officer at Alcatel-Lucent Enterprise. This complexity makes it challenging to implement uniform cybersecurity measures across all levels of the sector, he says.

Healthcare also faces obstacles in complying with the NIS2 Directive, because organizations tend to have complex, interconnected supply chains that introduce vulnerabilities. “Additionally, the widespread use of legacy systems and poorly secured medical devices increases the difficulty of compliance,” Lomba explains.

Adding to this, healthcare is often held back by tight budgets and a lack of resources, making it no surprise that compliance is challenging.

Small businesses also face budget constraints and are under “significant pressure” to manage operating costs while maintaining their service delivery, says Lomba.

In contrast, sectors such as electricity, telecoms and banking have shown “strong resilience and maturity” in their cybersecurity practices, says Riley.

These sectors benefit from long-term investments, robust regulatory oversight, and strong public-private partnerships. This “proactive approach to cybersecurity”, including regular risk assessments, continuous monitoring and “a culture of collaboration and information sharing” makes the sectors much more prepared than their peers in other industries, he points out.

Country-by-country regulation

There are issues with the regulation at a country level holding many firms back from NIS2 compliance. Only a handful of EU member states including Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania have adopted national legislation to transpose the NIS2 Directive. Others remain at various stages of implementation, says Scott Hudson, principal consultant at Bridewell.

Governments are facing capacity constraints and competing priorities, which has delayed the process, he says. “The fact that many member states have not yet established the laws needed to implement NIS2 clearly makes compliance challenging.”

The UK is not directly regulated by NIS2 following Brexit, but the regulation does impact firms doing business in the EU. At the same time, the UK has its own NIS regulations, which are being strengthened to align with NIS2's principles.

The proposed UK Cyber Security and Resilience Bill is not expected to be as broad in its sector focus as NIS2. Yet it will align the UK more closely with the EU's approach, says Clare Reynolds, digital resilience specialist at Taylor Wessing UK. “The expectation is that the UK regime will be no more onerous than NIS2, with minimal additional policies required to comply with both.”

Compliance quick fixes and long term strategies

If the NIS2 Directive impacts you, it’s important to not bury your head in the sand, says Hudson. He recommends gaining “a clear understanding of your assets, systems, critical functions and cyber risk exposure”, which he says is “essential” to remaining compliant.

Ollie Gower, senior managing director in the cybersecurity practice at FTI Consulting thinks an “organization-wide, risk-based approach” that “considers the business, culture, technology and supply chain” is key. “With so many elements to take into account, a pragmatic approach based on quick wins and clear prioritization of the most prominent gaps is recommended.”

To boost compliance with NIS2, organizations can adopt both quick fixes and long-term strategies. For a quick fix, Gower recommends firms appointing a leader to take control of NIS2. At the same time, organizations should focus on visibility. “Map out your critical assets, ICT systems and suppliers. You can’t secure what you don’t fully understand.”

Riley concurs, advising firms to conduct “comprehensive risk assessments to identify your assets”.

At the same time, ensure you are implementing basic cybersecurity hygiene practices such as regular software updates and patch management, and providing awareness training to employees, he adds.

Long-term strategies involve developing a robust cybersecurity framework, aligned to recognized standards such as ISO27001, alongside continuous monitoring and regular audits.

Hudson also advises ensuring you have dedicated resources, either in-house or externally, with the right skills and capabilities to “assess risk, prioritize efforts and drive compliance forward”.

Supply chain risk is a major part of NIS2. Taking this into account, organizations — especially those in high-risk sectors with complex supply chains such as healthcare — need to start evaluating their third-party vendors more rigorously, says Gower. “Create a provider inventory, and ensure there are clear expectations in contracts with third parties around cybersecurity practices.”

Meanwhile, having a basic, well-communicated incident response plan in place can make “all the difference in a time of crisis”, says Gower. He recommends “getting leadership involved early” and “making sure they understand the stakes.”