Compliance with the Network and Information Security Directive 2 (NIS2) indeed comes with significant costs for organizations within the European Union, as well as for those outside the EU providing services within its jurisdiction.

Frontier Economics estimated that the total cost of implementing NIS2 for EU businesses would be approximately €31.2 billion (US $33.9 billion) per year. This amounts to about 0.31% of the total turnover of sectors affected by the directive.

Nature of Costs:

• Personnel: Hiring cybersecurity experts and support staff, which includes not just salaries but also training and development to ensure expertise in compliance.
• Technology: Investment in hardware and software, including firewalls, intrusion detection systems, and platforms for monitoring and reporting like Azure Monitor or Microsoft Sentinel.
• Operational Changes: Developing and maintaining new cybersecurity processes, risk assessment policies, and governance structures. This includes the cost of risk management, crisis management, and even dipping into emergency reserves or reallocating from other recruitment budgets.

 

Budgetary Impact:

• While 68% of companies have received additional budgets for NIS2 compliance, a significant portion (20%) still finds budget constraints a major barrier. Interestingly, 40% of businesses have seen decreased IT budgets since the political agreement for NIS2 in January 2023, indicating a reallocation of funds internally to meet compliance demands.

 

Strategic and Operational Considerations:

• Organizations are not just complying for the sake of avoiding fines but are seeing the value in enhanced security posture, reduced risk of cyber incidents, and maintaining reputation. This strategic angle might justify the costs in the eyes of business leaders.

 

Technology and Compliance Tools:

• While some organizations are proactively managing compliance, others are struggling with the deadline, indicating varied levels of preparedness within the industry.

 

Penalties for Non-Compliance:

• The potential fines for non-compliance, which can reach €10 million or 2% of the annual worldwide turnover, underscore the financial risk of not meeting NIS2 requirements, adding pressure to the compliance cost considerations.

 

NIS2 compliance isn’t just about meeting regulatory requirements but also about enhancing cybersecurity resilience, which in the long term, might reduce the indirect costs associated with cyber incidents. However, for many businesses, especially smaller ones or those in particularly affected sectors, these costs represent a significant investment, requiring strategic budget reallocation and, in some cases, rethinking business models or operational structures to accommodate these new cybersecurity mandates.