The impact of NIS2 compliance on day-to-day operations has put many IT leaders in a stressful bind.
The Network and Information Security 2 directive, which expands the scope of its predecessor to cover 15 sectors, aims to provide a common level of cybersecurity across EU member states. The scope of the regulations are estimated to affect more than 160,000 organizations across Europe, as well as companies outside the block that provide services within the EU.
The revamped directive tightens cyber resilience rules and, short on vital resources, some IT leaders have approached solving this issue by separating compliance tasks from operational ones and assigning the former to the CISO.
“For me it is essential that our company has a CISO,” says Lucio D’Accolti, CIO of AMA Roma. “As a CIO dealing with operations, I would not have the time and people to dedicate to compliance with NIS2 or to incident response and notification activities. Our CISO is separate from the operational part, even if he works closely with me and the other functions, and can dedicate himself to these tasks, which are complex from a bureaucratic point of view. If I were to take care of them, we would have an impact on productivity.”
AMA falls within the NIS2 perimeter as an “important” entity. It’s compliance with the EU’s Network and Information Security Directive, which aims enhance protection for the critical infrastructure of 18 critical sectors, is paramount.
For AMA, and many organizations, NIS2 is proving to be a critical juncture in the technical C-suite, with security leaders in many cases rising in prominence, establishing their own separate organizations and budgets, and reshaping their relationships with their executive colleagues.
“We may not call it CISO, but there must be a dedicated structure, at least for large companies with strategic national importance,” D’Accolti says, adding that having “a separate and well-defined budget dedicated to cybersecurity ensures that top management takes responsibility.”
Claudio Telmon, senior partner for information and cybersecurity at P4I-Partners4Innovation, agrees that NIS2 has underscored the importance of security leadership within the organization at large.
“The CISO is essential because he or she is the most appropriate figure to deal with compliance aspects, which are not only the responsibility of information systems, but also of the area of corporate risk management,” Telmon emphasizes, noting that it is not always possible, however, for companies to have a dedicated CISO, instead merging this role with that of the CIO or IT director.
Alessio Antolini, CISO and DPO of AMA, considers NIS2 “an opportunity, because it offers a series of prescriptions on the security posture that should be adopted by organizations and that represents the norm for any digital company that exposes its services online.”
Antolini adds: “The difficulty that has always existed is that security is not seen as an asset, but as a cost: Companies deal with it because they are forced to or as a reaction to an attack or to prevent a security incident. They do not do it as a strategy.”
Even public bodies now have many digital touchpoints, both in core and non-core operations, but — comments Antolini — resilience activities are often perceived as costs. The arrival of a dedicated regulation has the benefit of raising awareness and pushing for compliance.
“We have to live in the present of IT, which is also made up of cyber threats against which we need to build bulwarks,” Antolini says. “NIS2 is like a GDPR for security, and it is not an option. It represents what every company should do on cybersecurity: for example, knowing how to identify a latent threat in systems or a near-miss situation and having an approach that is not only reactive but programmatic, in which you do not limit yourself to having the tools to react to an incident, but you are able to anticipate it.”
Complexity, according to Antolini, comes into play when a gap has been created in an organization, that is, a distance between what the security posture should be and what it actually is — then there is the rush to adapt and escalating costs.
How much does NIS2 compliance cost?
Still, NIS2 compliance itself is taking a toll on IT budgets. According to a recent study from Veeam, 80% of IT budgets of NIS2-affected EMEA companies are now spent on cybersecurity and compliance.
Antolini himself highlights that AMA’s cybersecurity budget had to increase due to the adjustment to the NIS2 requirements.
“We had to make a lot of investments, for example to strengthen the systems and to have the right number of people to manage them and follow the procedures”, says AMA’s CISO. “NIS2, in fact, requires reporting within a specific time frame and this speed requires people in charge. Then there is the control part of the supply chain, often a vehicle for incidents, and this impacts not only the CIO and the CISO but also the tender offices, purchasing, and so on. Even the verification of the requirements and the monitoring of third parties require work, or rather people.”
The expense, therefore, is undeniable and increases along with the size of the company. Furthermore, the expense includes initial investments to achieve compliance, and recurring costs to maintain compliance. Experts say the cost is on the order of €100,000 to €500,000, reaching up to €1 million for larger companies. And that excludes normal IT security costs.
There is also the bureaucratic element, with some IT leaders describing NIS2 as a “superstructure”: It requires precise procedures that translate into “a lot of paper and a lot of money that could have been invested in real security.”
Even in the case of an organization up to speed on security, the bureaucracy is a significant drain on resources: “We had already invested in cybersecurity and were virtually compliant. But now all training activities, simulations, and procedures must be documented in a defined way and this creates bureaucracy,” another IT leader says.
Compliance will be easier for some
There are CIOs and CISOs who have found NIS2 compliance relatively easy: those who have worked toward ISO/IEC 27001:2022 certification, whether they remained in the preparation phase or actually got certified.
Those who have the certification report having found themselves with “80% of the work done”: the company is ready in terms of cybersecurity equipment, people are trained, and management is aligned. At that point, starting the work toward NIS2 compliance is almost natural.
This is the experience of Matteo Mutti, CTO of Promotica, a loyalty agency specialized in the creation of marketing solutions.
“We chose ISO/IEC 27001:2022 certification to ensure a structured approach to information security management. This standard allows us to ensure proper management of sensitive data, improve our reputation and meet customer requests regarding security. Certifying ISO 27001 also helps to comply with current regulations, such as GDPR and NIS2, reducing the risk of sanctions and making the company more ready to face new market challenges,” says Mutti.
The key is to involve the entire organization. “The various offices, overwhelmed by daily work, find it difficult to support the request for additional effort,” Mutti says. “It is therefore important that this path be organized by involving all the operational areas involved so that they perceive the opportunity, through the definition of procedures, to review and improve company processes.”
Compliance has also been less of a problem for CIOs and CISOs in regulated markets — for example, in healthcare.
“A lot depends on how structured you are and how you have to adhere to industry standards, as happens with healthcare regulations or organizational model 231,” says Fabrizio Alampi, CIO at Colisée Italia, which is part of a French group that operates healthcare for seniors in Europe. “For us, NIS2 was painless because we were already 95% compliant thanks to the path we had taken previously.”
According to Alampi, what puts CIOs and companies in a difficulty position is dealing with cybersecurity only because it is required by NIS2, or another law; instead, if an effective cybersecurity strategy has been set up from the beginning, compliance comes by itself.
This is what Marco Foracchia, CIO of AUSL (Local Health Authority) of Reggio Emilia, reiterates.
“Cybersecurity is one of the hot topics of the moment, closely linked to the current challenges of healthcare that is becoming distributed, territorial,” he says. “This evolution has led us to a new ecosystem approach in which security must also be applied beyond the company perimeter to third-party structures and devices, such as private clinics, retirement homes, nonprofit companies, and citizens’ homes. This requires strong dialogue with partners and monitoring of the supply chain, and NIS2 has inserted itself almost naturally into this process already under way. The methodology that NIS2 imposes is in line with what we should have done anyway. The new open security structure is riskier and the NIS2 guidelines certainly help.”
Foracchia’s approach was to rely on technology partners for software solutions that incorporate security by design, as he already did for GDPR with privacy by design: “The issues are different, but the approach is similar; you have to think about it from the beginning, both on a technological and organizational level,” he says.
The next stage of cybersecurity: Talent
Wherever companies are today, NIS2 should be seen as an opportunity to get in line with the now essential security standards, IT leaders say. Depending on their member state and the status of their version of the NIS2 regulation, basic obligations for companies should soon be clearer for CIOs and CISOs in terms of what to do to be in compliance. In Italy, for example, that will be by the end of 2026.
As for costs and bureaucracy, it is not certain that they will continue to rise. As Telmon clarifies: “The amount of investment for companies will depend on their level of cybersecurity maturity and how demanding these obligations are. Companies that are already sufficiently mature will not have to invest so much in technology. However, they will have to devote a great deal of effort to reviewing their organization and training or attracting cybersecurity skills, which are more necessary than ever but not widely available.”
CIOs and CISOs know it: Skills are a weak point in the market. While technologies are abundant, IT specialists are scarce.
“Large companies will have to go out and find talent, maybe even hire,” says Telmon. “Medium-sized companies will have to find ways to access quality expertise without putting too much strain on their budget, and that will be a real challenge. Such vertical expertise is often easier to find in consulting, especially for SMEs that don’t have the space to hire such specialized figures full-time. It would also be useful for industry associations to step in to help medium-sized companies, because in vertical sectors the skills required are similar and SMEs would benefit greatly from synergies, even among competitors.”
A challenge within a challenge, but a real priority for CIOs: According to the latest IDC studies, growing regulatory complexity will be at the heart of IT’s work in the coming months.