The European Union Agency for Cybersecurity issues a new report on how cybersecurity investments have developed under the provisions of the NIS directive.
The NIS Directive has been implemented by 82% of the 947 organisations identified as Operators of Essential Services (OES) or Digital Service Providers (DSP) surveyed across the 27 Member States, with 67% requiring an additional budget for its implementation.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that: “Measuring the effectiveness of cybersecurity is a challenging task. Looking at information security investments for essential operators and where their resources are focused provides us with an understanding of the state of cybersecurity across the Union.”
The EU Agency for Cybersecurity (ENISA) published last year the first edition of the report – NIS Investments Report 2020 – with an initial insight of the cybersecurity investment approaches of services providers covered by the directive on security of network and information systems (NIS Directive), namely of OES and DSP.
The new report – NIS Investments Report 2021 – aggregates data from all 27 EU Member States and looks into the allocation of cybersecurity budget of OES and DSP and how this allocation has possibly changed as result of the need to implement the provisions of the directive. It also analyses the economic impact of cybersecurity incidents and assesses how these organisations monitor their budget and invest in order to meet their cybersecurity requirements.
What is the role and impact of the NIS Directive on NIS investment?
As the first EU-wide legislation on cybersecurity, the objective of the Directive on Security of Network and Information Systems (NIS Directive) is to achieve a high common level of cybersecurity across all Member States. One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for OES and DSP.
The report investigates how operators invest in cybersecurity and comply with the objectives of the NIS Directive. It also gives an overview of the situation in relation to such aspects as IT security staffing, cyber insurance and organisation of information security in OES and DSP.
In this context, the findings of the report can be used to further feed into the proposal for the directive on measures for a high common level of cybersecurity across the EU currently under discussion in the European Parliament and the Council of the European Union, which is known as the ‘NIS 2’. The report in this sense could also contribute to further policy reflections as it builds on the work already engaged last year.
What are the key findings?
- Implementing the NIS directive
Almost 50% of surveyed organisations acknowledge either a significant or a very significant impact of the NIS Directive on the management of their information security. Nearly 50% of established OES and DSP consider that their detection capabilities are now strengthened as a result of the implementation of the provisions of the directive. 26% believe that it has improved their ability to recover from incidents. In 2020, only 8.8% of surveyed OES and DSP experienced a major security incident.
Even if 67% of those service providers need to allocate additional budget to ensure compliance, 18% still have not implemented any of the provisions at all.
A typical OES/DSP spends around 2 million euros on information security. The respective budget for implementing the NIS directive amounts from 5% up to 10% of the overall information security budget.
The study reveals that organisations worldwide mainly dedicate their security budget on the following functional security domains, with the remaining budget covering identity access management, data, end point and application security:
– vulnerability management and security analytics for 20%;
– governance, risk and compliance for 18%;
– network security for 16%.
The survey results indicate that a typical OES or DSP from the energy sector allocates the highest budget to achieve implementation, closely followed by organisations in the banking sector. Drinking water supply and distribution, financial market infrastructures and digital infrastructure allocate the lowest budgets to achieve compliance.
The top 3 domains of implementation of the NIS Directive identified are:
– governance risk and compliance (GRC);
– network security;
– vulnerability management.
- Cost of incidents
The banking and healthcare sectors are the sectors suffering the highest direct costs of major security incidents when they happen, usually ranging from 213 000 to 300 000 EUR when the usual direct cost is about 100 000 EUR.
- Human resources
Nearly 50% of the established OES and DSP in the EU hire the services of contractors to support their information security workforce.
A typical OES and DSP employs on median 60 IT staff, 7 of which are dedicated to information security. On average, 2 staff members are specifically allocated to incident response. The information security workforce in OES and DSP increased due to the implementation of the NIS Directive as 18,7% of surveyed organisations hired additional internal staff and 32% resort to external contractors.
- Cyber insurance
Over 57% of organisations have not subscribed to a cyber insurance. Yet, more than half of OES and DSP certify their systems and processes.
The majority of these services providers assess their information security controls meet or exceed industry standards with only 5% admit they don’t.
A total of 23% of organisations reported that they do not subscribe to any cyber insurance solution, although they declare the intention to implement one.
The NIS Directive represents the first EU-wide legislation on cybersecurity, with the objective to achieve a high common level of cybersecurity across all EU Member States. One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for Operators of Essential Services (OES) and Digital Service Providers (DSP). OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries). DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.