Three-quarters of UK organisations have yet to complete preparations for a new EU directive that will enforce robust cyber security standards, as well as more stringent reporting measures in the event of a security incident.
While Brexit means that some British firms will be exempt from the EU’s Network & Information Security Directive (NIS2), any business that trades within the EU must put the measures in place.
But with just 12 months year to go until the deadline for implementation, most UK organisations are yet to fully address and compensate for the five key compliance requirements outlined in the new regulations, a SailPoint study has found.}
Under the updated regulations, all public and private entities operating in the EU will be required to adhere to new standards. The regulations specifically target organizations working in critical infrastructure sectors, such as finance, energy and healthcare.
SailPoint’s study, based on a survey of 1,500 IT decision makers across the UK, France, and Germany, found that most UK firms have yet to even begin preparations for the new rules.
Four in five (80%) revealed they still need to properly secure supply chains while three-quarters (76%) said they have yet to assess the efficiency of existing cyber security measures.
Organisations also need to add new risk management measures (74%), implement HR security (76%), or provide cyber security training to staff (72%).
SailPoint warns that those who fail to comply with the new rules could face harsh penalties, including maximum fines of up to €10m for non-compliance, or the equivalent of 2% of their annual turnover.
SailPoint senior vice president for EMEA Stephen Bradford said: “Businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation.
“The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses.”
Bradford claimed there are similarities to the last-minute approach many had to the implementation of GDPR and urged businesses to learn from this, using the next 12 months to ensure cyber resilience “is at the core of the business models” to avoid falling foul of the regulations.
Under the new rules, senior management could be held liable for cyber security failings and regulatory infringements if their organisation does not comply.
Related stories
Fear of a bollocking leads to silence over data breaches
Cock-up culture: Staff guilty of 90% of data breaches
Data breaches, not rogues, are ICO Public Enemy No. 1
ICO ‘failings’ exposed as most probes come to nothing
1,000 hack attacks hit UK but ‘it’s only tip of iceberg’
UK firms ‘leaving themselves wide open to ransomware’